Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ekstre_pdf.exe

Overview

General Information

Sample name:ekstre_pdf.exe
Analysis ID:1410992
MD5:3ca1479d77a23d47a2f01e8ef30a6365
SHA1:3850b7445cbf81387f910ebe710d0dbdad33a91e
SHA256:074170a0febc20013e9c8cade256a031be328cefc2838f8f6ed394b4caf05b5f
Tags:exe
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ekstre_pdf.exe (PID: 7720 cmdline: C:\Users\user\Desktop\ekstre_pdf.exe MD5: 3CA1479D77A23D47A2F01E8EF30A6365)
    • RegSvcs.exe (PID: 7800 cmdline: C:\Users\user\Desktop\ekstre_pdf.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • ekstre_pdf.exe (PID: 7808 cmdline: C:\Users\user\Desktop\ekstre_pdf.exe MD5: 3CA1479D77A23D47A2F01E8EF30A6365)
      • RegSvcs.exe (PID: 7876 cmdline: C:\Users\user\Desktop\ekstre_pdf.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "smtp.gmail.com", "Username": "vonhann5@gmail.com", "Password": "bcpg ndrj tkte xxvk"}

Threatname: RedLine

{"C2 url": ["smtp.gmail.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
        • 0x4185b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
        • 0x418cd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
        • 0x41957:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
        • 0x419e9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        • 0x41a53:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
        • 0x41ac5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
        • 0x41b5b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
        • 0x41beb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
        00000000.00000002.1241306003.0000000001990000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            6.2.RegSvcs.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x1300:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 56 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1fdd0:$s5: delete[]
            • 0x1f288:$s6: constructor or from DllMain.
            6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              6.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
              • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
              • 0x700:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 56 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
              • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
              • 0x1e9d0:$s5: delete[]
              • 0x1de88:$s6: constructor or from DllMain.
              0.2.ekstre_pdf.exe.1990000.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 43 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.251.16.108, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7876, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49706

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 6.2.RegSvcs.exe.27b00a6.1.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["smtp.gmail.com"]}
                Source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "smtp.gmail.com", "Username": "vonhann5@gmail.com", "Password": "bcpg ndrj tkte xxvk"}
                Multi AV Scanner detection for submitted file
                Source: ekstre_pdf.exeReversingLabs: Detection: 55%
                Machine Learning detection for sample
                Source: ekstre_pdf.exeJoe Sandbox ML: detected
                Source: ekstre_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49705 version: TLS 1.2
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: ekstre_pdf.exe, 00000000.00000003.1239187384.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000000.00000003.1239055260.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000003.00000003.1265617174.0000000003670000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000003.00000003.1265914215.00000000034D0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ekstre_pdf.exe, 00000000.00000003.1239187384.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000000.00000003.1239055260.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000003.00000003.1265617174.0000000003670000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000003.00000003.1265914215.00000000034D0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00234696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00234696
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023C93C FindFirstFileW,FindClose,0_2_0023C93C
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0023C9C7
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0023F200
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0023F35D
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0023F65E
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00233A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00233A2B
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00233D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00233D4E
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0023BF27

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: smtp.gmail.com
                Source: global trafficTCP traffic: 192.168.2.10:49706 -> 142.251.16.108:587
                Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: global trafficTCP traffic: 192.168.2.10:49706 -> 142.251.16.108:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_002425E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_002425E2
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownDNS traffic detected: queries for: api.ipify.org
                Source: RegSvcs.exe, 00000006.00000002.3684866466.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
                Source: RegSvcs.exe, 00000006.00000002.3691681148.0000000006B5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
                Source: RegSvcs.exe, 00000006.00000002.3686287968.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689607799.0000000005273000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691531940.0000000006B1F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000003017000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
                Source: RegSvcs.exe, 00000006.00000002.3684866466.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
                Source: RegSvcs.exe, 00000006.00000002.3686287968.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689607799.0000000005273000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691531940.0000000006B1F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000003017000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
                Source: RegSvcs.exe, 00000006.00000002.3691681148.0000000006B5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
                Source: RegSvcs.exe, 00000006.00000002.3684866466.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
                Source: RegSvcs.exe, 00000006.00000002.3686287968.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689607799.0000000005273000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691531940.0000000006B1F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000003017000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
                Source: RegSvcs.exe, 00000006.00000002.3691681148.0000000006B5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
                Source: RegSvcs.exe, 00000006.00000002.3686287968.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RegSvcs.exe, 00000006.00000002.3686287968.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000003017000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.gmail.com
                Source: RegSvcs.exe, 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                Source: RegSvcs.exe, 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                Source: RegSvcs.exe, 00000006.00000002.3691681148.0000000006B5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pki.goog/repository/0
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49705 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, 8AYyiOU7.cs.Net Code: eAwJA
                Installs a global keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0024425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0024425A
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00244458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00244458
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0024425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0024425A
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00230219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00230219
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0025CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0025CDAC

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 0.2.ekstre_pdf.exe.1990000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 6.2.RegSvcs.exe.5310000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 6.2.RegSvcs.exe.5170000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 6.2.RegSvcs.exe.27b00a6.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 6.2.RegSvcs.exe.27b0f8e.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 6.2.RegSvcs.exe.27b0f8e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 6.2.RegSvcs.exe.5170000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 3.2.ekstre_pdf.exe.17b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 6.2.RegSvcs.exe.27b00a6.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 6.2.RegSvcs.exe.5170ee8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000000.00000002.1241306003.0000000001990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000003.00000002.1271764010.00000000017B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000006.00000002.3684362034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_001D3B4C
                Source: ekstre_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: ekstre_pdf.exe, 00000000.00000000.1213096225.0000000000285000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9b00c9d2-3
                Source: ekstre_pdf.exe, 00000000.00000000.1213096225.0000000000285000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5991a3fb-0
                Source: ekstre_pdf.exe, 00000003.00000002.1271026336.0000000000285000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ea5142da-9
                Source: ekstre_pdf.exe, 00000003.00000002.1271026336.0000000000285000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ec2f847b-b
                Source: ekstre_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_820324bc-d
                Source: ekstre_pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ffd0f491-7
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: ekstre_pdf.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00234021: CreateFileW,DeviceIoControl,CloseHandle,0_2_00234021
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00228AF8 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,0_2_00228AF8
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0023545F
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001DE8000_2_001DE800
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001FDBB50_2_001FDBB5
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001DFE400_2_001DFE40
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0025804A0_2_0025804A
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001DE0600_2_001DE060
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001E41400_2_001E4140
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001F24050_2_001F2405
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_002065220_2_00206522
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_002506650_2_00250665
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0020267E0_2_0020267E
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001F283A0_2_001F283A
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001E68430_2_001E6843
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_002089DF0_2_002089DF
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001E8A0E0_2_001E8A0E
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00206A940_2_00206A94
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00250AE20_2_00250AE2
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0022EB070_2_0022EB07
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00238B130_2_00238B13
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001FCD610_2_001FCD61
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_002070060_2_00207006
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001E710E0_2_001E710E
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001E31900_2_001E3190
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001D12870_2_001D1287
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001F33C70_2_001F33C7
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001FF4190_2_001FF419
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001E56800_2_001E5680
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001F16C40_2_001F16C4
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001F78D30_2_001F78D3
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001E58C00_2_001E58C0
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001F1BB80_2_001F1BB8
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00209D050_2_00209D05
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001F1FD00_2_001F1FD0
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001FBFE60_2_001FBFE6
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_019837600_2_01983760
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 3_2_017A37603_2_017A3760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00408C606_2_00408C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040DC116_2_0040DC11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00407C3F6_2_00407C3F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00418CCC6_2_00418CCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00406CA06_2_00406CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004028B06_2_004028B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A4BE6_2_0041A4BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004182446_2_00418244
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004016506_2_00401650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402F206_2_00402F20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004193C46_2_004193C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004187886_2_00418788
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402F896_2_00402F89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402B906_2_00402B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004073A06_2_004073A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029ECFD06_2_029ECFD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029ECC886_2_029ECC88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029ED8A06_2_029ED8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E0FD06_2_029E0FD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E10306_2_029E1030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_060CEE406_2_060CEE40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_060C96F86_2_060C96F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_060CBD486_2_060CBD48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_060C62986_2_060C6298
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_060C5A906_2_060C5A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_060CF5986_2_060CF598
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_060C001E6_2_060C001E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_060C00406_2_060C0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064E1C206_2_064E1C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064E52306_2_064E5230
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064EA0C96_2_064EA0C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064E61B86_2_064E61B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064E15306_2_064E1530
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064EDBE86_2_064EDBE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 43 times
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: String function: 001F8B40 appears 42 times
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: String function: 001D7F41 appears 35 times
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: String function: 001F0D27 appears 70 times
                Source: ekstre_pdf.exe, 00000000.00000002.1241306003.0000000001990000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef36e5165-0f45-404a-a1e4-a8be0e5d9eef.exe4 vs ekstre_pdf.exe
                Source: ekstre_pdf.exe, 00000000.00000003.1238798726.0000000003D3D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ekstre_pdf.exe
                Source: ekstre_pdf.exe, 00000000.00000003.1238663855.0000000003B93000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ekstre_pdf.exe
                Source: ekstre_pdf.exe, 00000003.00000003.1264653481.000000000379D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ekstre_pdf.exe
                Source: ekstre_pdf.exe, 00000003.00000003.1266848195.00000000035F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ekstre_pdf.exe
                Source: ekstre_pdf.exe, 00000003.00000002.1271764010.00000000017B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef36e5165-0f45-404a-a1e4-a8be0e5d9eef.exe4 vs ekstre_pdf.exe
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: wldp.dllJump to behavior
                Source: ekstre_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 0.2.ekstre_pdf.exe.1990000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 6.2.RegSvcs.exe.5310000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 6.2.RegSvcs.exe.5170000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 6.2.RegSvcs.exe.27b00a6.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 6.2.RegSvcs.exe.27b0f8e.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 6.2.RegSvcs.exe.27b0f8e.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 6.2.RegSvcs.exe.5170000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 3.2.ekstre_pdf.exe.17b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 6.2.RegSvcs.exe.27b00a6.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 6.2.RegSvcs.exe.5170ee8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000000.00000002.1241306003.0000000001990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000003.00000002.1271764010.00000000017B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000006.00000002.3684362034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, pedwBeAo9.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, Mi6W.csCryptographic APIs: 'TransformFinalBlock'
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, s0nDliRGT.csCryptographic APIs: 'TransformFinalBlock'
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, UGDeyt2ww1.csCryptographic APIs: 'TransformFinalBlock'
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, xpue.csCryptographic APIs: 'TransformFinalBlock'
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, u4JW9.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@3/2
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023A2D5 GetLastError,FormatMessageW,0_2_0023A2D5
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00228713 AdjustTokenPrivileges,CloseHandle,0_2_00228713
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00228CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00228CC3
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0023B59E
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0024F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0024F121
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023C602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0023C602
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001D4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_001D4FE9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\ekstre_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\aut46DF.tmpJump to behavior
                Source: ekstre_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: ekstre_pdf.exeReversingLabs: Detection: 55%
                Source: unknownProcess created: C:\Users\user\Desktop\ekstre_pdf.exe C:\Users\user\Desktop\ekstre_pdf.exe
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\ekstre_pdf.exe
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess created: C:\Users\user\Desktop\ekstre_pdf.exe C:\Users\user\Desktop\ekstre_pdf.exe
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\ekstre_pdf.exe
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\ekstre_pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess created: C:\Users\user\Desktop\ekstre_pdf.exe C:\Users\user\Desktop\ekstre_pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\ekstre_pdf.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                Source: ekstre_pdf.exeStatic file information: File size 1231872 > 1048576
                Source: ekstre_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: ekstre_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: ekstre_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: ekstre_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: ekstre_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: ekstre_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: ekstre_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: ekstre_pdf.exe, 00000000.00000003.1239187384.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000000.00000003.1239055260.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000003.00000003.1265617174.0000000003670000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000003.00000003.1265914215.00000000034D0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ekstre_pdf.exe, 00000000.00000003.1239187384.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000000.00000003.1239055260.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000003.00000003.1265617174.0000000003670000.00000004.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000003.00000003.1265914215.00000000034D0000.00000004.00001000.00020000.00000000.sdmp
                Source: ekstre_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: ekstre_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: ekstre_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: ekstre_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: ekstre_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 6.2.RegSvcs.exe.27b0f8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0024C304 LoadLibraryA,GetProcAddress,0_2_0024C304
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001F8B85 push ecx; ret 0_2_001F8B98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00423149 push eax; ret 6_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C50E push cs; iretd 6_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004231C8 push eax; ret 6_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040E21D push ecx; ret 6_2_0040E230
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C6BE push ebx; ret 6_2_0041C6BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E1AB2 push edx; ret 6_2_029E1AB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E1EA1 push edx; ret 6_2_029E1EA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E47A4 push cs; retf 6_2_029E47A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E1F2C push edx; ret 6_2_029E1F2D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E3B41 push edx; ret 6_2_029E3B43
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E2C6C push edx; ret 6_2_029E2C6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E21A4 push edx; ret 6_2_029E21A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E1D03 push edx; ret 6_2_029E1D04
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_029E2536 push edx; ret 6_2_029E2537
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_060CFD69 push ecx; ret 6_2_060CFDA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064E7F64 push esp; iretd 6_2_064E7F65
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064E7DC2 push esi; iretd 6_2_064E7DC3
                Source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HlsljxLS23cWB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HlsljxLS23cWB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 6.2.RegSvcs.exe.27b0f8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'HlsljxLS23cWB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_001D4A35
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_002555FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_002555FD
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001F33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001F33C7
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8478Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1361Jump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeAPI coverage: 4.7 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00234696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00234696
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023C93C FindFirstFileW,FindClose,0_2_0023C93C
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0023C9C7
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0023F200
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0023F35D
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0023F65E
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00233A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00233A2B
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00233D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00233D4E
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0023BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0023BF27
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001D4AFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99641Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99422Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98641Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99231Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98898Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99577Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99249Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99029Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98921Jump to behavior
                Source: RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
                Source: C:\Users\user\Desktop\ekstre_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-97574
                Source: C:\Users\user\Desktop\ekstre_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-97640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_002441FD BlockInput,0_2_002441FD
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_001D3B4C
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00205CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00205CCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0024C304 LoadLibraryA,GetProcAddress,0_2_0024C304
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_019835F0 mov eax, dword ptr fs:[00000030h]0_2_019835F0
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_01983650 mov eax, dword ptr fs:[00000030h]0_2_01983650
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_01981ED0 mov eax, dword ptr fs:[00000030h]0_2_01981ED0
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 3_2_017A35F0 mov eax, dword ptr fs:[00000030h]3_2_017A35F0
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 3_2_017A3650 mov eax, dword ptr fs:[00000030h]3_2_017A3650
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 3_2_017A1ED0 mov eax, dword ptr fs:[00000030h]3_2_017A1ED0
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_002281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_002281F7
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001FA364 SetUnhandledExceptionFilter,0_2_001FA364
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001FA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001FA395
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040CE09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040E61C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004123F1 SetUnhandledExceptionFilter,6_2_004123F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\ekstre_pdf.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\ekstre_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8FA008Jump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00228C93 LogonUserW,0_2_00228C93
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_001D3B4C
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_001D4A35
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00234EF5 mouse_event,0_2_00234EF5
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\ekstre_pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\ekstre_pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_002281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_002281F7
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00234C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00234C03
                Source: ekstre_pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: ekstre_pdf.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001F886B cpuid 0_2_001F886B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,6_2_00417A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_002050D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_002050D7
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00212230 GetUserNameW,0_2_00212230
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_0020418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0020418A
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_001D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001D4AFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5310000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b00a6.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b0f8e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b0f8e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b00a6.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3686287968.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7876, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5310000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b00a6.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b0f8e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b0f8e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b00a6.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Yara detected RedLine Stealer
                Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ekstre_pdf.exe.1990000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.ekstre_pdf.exe.17b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1241306003.0000000001990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1271764010.00000000017B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3684362034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqliteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: ekstre_pdf.exeBinary or memory string: WIN_81
                Source: ekstre_pdf.exeBinary or memory string: WIN_XP
                Source: ekstre_pdf.exeBinary or memory string: WIN_XPe
                Source: ekstre_pdf.exeBinary or memory string: WIN_VISTA
                Source: ekstre_pdf.exeBinary or memory string: WIN_7
                Source: ekstre_pdf.exeBinary or memory string: WIN_8
                Source: ekstre_pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5310000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b00a6.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b0f8e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b0f8e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b00a6.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3686287968.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7876, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5310000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b00a6.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b0f8e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b0f8e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b00a6.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3686287968.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7876, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5310000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b00a6.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b0f8e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b0f8e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5310000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.27b00a6.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.5170ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Yara detected RedLine Stealer
                Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ekstre_pdf.exe.1990000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.ekstre_pdf.exe.17b0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1241306003.0000000001990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1271764010.00000000017B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3684362034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00246596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00246596
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00246A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00246A5A
                Source: C:\Users\user\Desktop\ekstre_pdf.exeCode function: 0_2_00207CF1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,0_2_00207CF1

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		121
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Native API                		2
                Valid Accounts                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		221
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                Valid Accounts                		2
                Obfuscated Files or Information                		1
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                Access Token Manipulation                		1
                Software Packing                		NTDS48
                System Information Discovery                		Distributed Component Object Model221
                Input Capture                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH4
                Clipboard Data                		123
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Valid Accounts                		Cached Domain Credentials121
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
                Virtualization/Sandbox Evasion                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                ekstre_pdf.exe55%ReversingLabsWin32.Trojan.AgentTesla
                ekstre_pdf.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://crl.pki.goog/gsr1/gsr1.crl0;0%URL Reputationsafe
                http://crl.pki.goog/gtsr1/gtsr1.crl0W0%URL Reputationsafe
                http://pki.goog/gsr1/gsr1.crt020%URL Reputationsafe
                https://pki.goog/repository/00%URL Reputationsafe
                http://pki.goog/repo/certs/gts1c3.der00%URL Reputationsafe
                http://pki.goog/repo/certs/gtsr1.der040%URL Reputationsafe
                http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl00%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.ipify.org
                		104.26.13.205
                		truefalse
                  		high
                  smtp.gmail.com
                  		142.251.16.108
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                      		high
                      smtp.gmail.comfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgRegSvcs.exe, 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crl.pki.goog/gsr1/gsr1.crl0;RegSvcs.exe, 00000006.00000002.3684866466.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://account.dyn.com/RegSvcs.exe, 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmpfalse
                            		high
                            http://crl.pki.goog/gtsr1/gtsr1.crl0WRegSvcs.exe, 00000006.00000002.3691681148.0000000006B5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://pki.goog/gsr1/gsr1.crt02RegSvcs.exe, 00000006.00000002.3684866466.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://pki.goog/repository/0RegSvcs.exe, 00000006.00000002.3691681148.0000000006B5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000006.00000002.3686287968.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://smtp.gmail.comRegSvcs.exe, 00000006.00000002.3686287968.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000003017000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0RegSvcs.exe, 00000006.00000002.3686287968.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689607799.0000000005273000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691531940.0000000006B1F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000003017000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pki.goog/repo/certs/gts1c3.der0RegSvcs.exe, 00000006.00000002.3686287968.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.000000000315A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689607799.0000000005273000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691531940.0000000006B1F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000003017000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3686287968.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://pki.goog/repo/certs/gtsr1.der04RegSvcs.exe, 00000006.00000002.3691681148.0000000006B5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3689645593.0000000005286000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691404388.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3691681148.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3685157991.0000000000E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.26.13.205
                                		api.ipify.orgUnited States
                                		13335CLOUDFLARENETUSfalse
                                142.251.16.108
                                		smtp.gmail.comUnited States
                                		15169GOOGLEUSfalse

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1410992
                                Start date and time:2024-03-18 14:37:24 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 9m 29s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:14
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:ekstre_pdf.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@7/6@3/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 96%
                                • Number of executed functions: 62
                                • Number of non-executed functions: 263
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: ekstre_pdf.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                14:38:17API Interceptor8646082x Sleep call for process: RegSvcs.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.26.13.205E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                • api.ipify.org/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                api.ipify.orgFVN001-230824.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                PI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                • 104.26.13.205
                                QUOTE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                • 172.67.74.152
                                Quotation lists.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                SOA FEB 2024.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                PO No.109480 Dt.18Mar2024 pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                Vindegade.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                • 104.26.12.205
                                https://cdn.discordapp.com/attachments/1219079930122338327/1219193029647274034/PO_No.109480_Dt.18Mar2024_pdf.7z?ex=660a68fd&is=65f7f3fd&hm=c1267cdec3cb72a30ed3524db2c95f7e2274d988486fe24145ef7f3d03bd1e0b&Get hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                PO.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUSFVN001-230824.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                Quote.exeGet hashmaliciousFormBookBrowse
                                • 104.21.56.165
                                PI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                • 104.26.13.205
                                proforma_Invoice_0009300_74885959969_9876.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 104.21.67.152
                                QUOTE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                • 172.67.74.152
                                Quotation lists.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                SOA FEB 2024.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                gMCSnfJRqp.exeGet hashmaliciousFormBookBrowse
                                • 172.67.169.232
                                qPAi9IP2Ck.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                • 172.67.75.166
                                https://cloudflare-ipfs.com/ipfs/bafkreif2klim7glbgcsrfe6lm7wfd2scwmhee5i6dglyggzgvjgl53zw2i/#ZHdlbnNlbEBob2xsYW5kY28uY29tGet hashmaliciousUnknownBrowse
                                • 104.17.25.14

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0eFVN001-230824.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                PI.1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                • 104.26.13.205
                                QUOTE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                • 104.26.13.205
                                Quotation lists.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                SOA FEB 2024.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                6000117092.exeGet hashmaliciousUnknownBrowse
                                • 104.26.13.205
                                Teklif 8822321378 .exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.13.205
                                6000117092.exeGet hashmaliciousUnknownBrowse
                                • 104.26.13.205
                                https://drive.google.com/file/d/1IKxLiXVTT7OY6TeIorneTBc8KCU0p08q/view?usp=sharing#urNkDtydE8Get hashmaliciousPhisherBrowse
                                • 104.26.13.205
                                https://sprl.in/wBwUGK0Get hashmaliciousUnknownBrowse
                                • 104.26.13.205

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\aut46DF.tmp

                                Download File
                                Process:C:\Users\user\Desktop\ekstre_pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):272384
                                Entropy (8bit):7.859545735138241
                                Encrypted:false
                                SSDEEP:6144:Dvv83GFN62h4GeQk7absfrE2/rLYnecxuqBV9HA2beC:DsikGeoOrd/nNcxVHAgeC
                                MD5:86F20762B6A68FD588A6812A4327EF46
                                SHA1:0F29DBB8CEEF5388DAA4736A6816C93A1B8CB2CE
                                SHA-256:060DB2A188690FF10A0CA52F5F45D187432C339CC1690E9D4F1FDBC65CA67F92
                                SHA-512:3FAD47BF8779E1B55D4CACB2B2265B98BE3A42A36A8CAB7F58364212691025B2807F26810F6F2421279A1918B409DAD758DEAEF8B638E12B87A34A59B88557B2
                                Malicious:false
                                Reputation:low
                                Preview:...1JM7FAIG7..IA.FVH1IM7.EIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FE.G7K9V.LF.A.h.6..h._"Di10)1:P$mT'+'(CkU,a038hX'ms..i*X/RgLOLrH1IM7FE!W.f.8.<j'.Oe<.8wj8ItF.?I..6.8.Ij4.9k:.7sa((T@.3.e,7.F.I{b98{9.7.^%-e6.57IABFVH1IM7FEIG72.$BFVHa.M7.DMGC.7.ABFVH1IM.FfHL6B7I.CFV.3IM7FEf.7K7YABF.I1IMwFEYG7K5IAGFVH1IM7CEIG7K7IA2BVH5IM.}GIE7K.IARFVX1IM7VEIW7K7IABVVH1IM7FEIG7."KA.FVH1)O7BCKG7K7IABFVH1IM7FEIG7K7IABF..0IQ7FEIG7K7IABFVH1IM7FEIG7K7IA.KTHqIM7FEIG7K7IA.GV.0IM7FEIG7K7IABFVH1IM7FEIG7K.=$:2VH1Q.6FEYG7K.HABBVH1IM7FEIG7K7IaBF6fC-,C'EI.ZK7I.CFV&1IM.GEIG7K7IABFVH1.M7.k-&C*7IA.vVH1iO7FSIG7A5IABFVH1IM7FEI.7K.g3145H1II1DEI'5K7ACBFvJ1IM7FEIG7K7IA.FV.1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7

                                C:\Users\user\AppData\Local\Temp\aut471E.tmp

                                Download File
                                Process:C:\Users\user\Desktop\ekstre_pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):12130
                                Entropy (8bit):7.754551036884044
                                Encrypted:false
                                SSDEEP:192:jq8gxVivjhoBzzUUzhQ/IEixKjIpMNRDGHqpdPwEZBAK+GujbNaPfmkAshY4ElER:jYivlmzgUzhQ/IEiRpeSsdPr3SGujbN0
                                MD5:B071209969F3D4A0BEAA47752CAE10AB
                                SHA1:020402DF3BEE77336E772789ADD87B33F3172FE4
                                SHA-256:187BB74C1E41598E6F56A8BDBE88260DCBF43A9BE000A413417487BFC6168C37
                                SHA-512:1A848465ABD10486DCC6C9445B14ED5D8B3F56DCD65B4B85C7639F7C38BDF29AC7058C5B0C0ADA64E6D4B2B6DBC3FFECE2CACE38661C8B709447BFDC48A368B9
                                Malicious:false
                                Reputation:low
                                Preview:EA06.....gxy^.....`4\<_.%.....]..J...,........+4.<X.#.....v..qw.].....d.Z....(r`.p.G...$..h..|.Q..O`...0.H.............O1.....X..d..0....t.w.L.'..x.........=}.0.,............0.....y~.0.0...%@..@.D.....P.#..-4<<x..@x`.o......@..........@...5..A.............9.{........;.#..s.....'.+..s.....N~P.O...=..N.........e~0..D.}....`.!0._..G..:o......xy.0<...@~.......p....Nc..`.s$.C..5 s...$.*... . +....&o..6.g.@....S........&o..%....'? 3o.....}..3_..J...........?.@.....@.....l|......g..=.t..?.6..g..<...4_.!.....,.....Y.8.. ...'..1../..1........h.;..u.!......\.......v.!~A....x..`..h....0.1`'9.....lX<......a4z...1a4<...qa4?..8.A..Y...0&{`.?h.z.9.b.........+......+......".8....w.r..`^.......L."..........d.W.._.d....D>......`."..3..s..q..H.I.a.D|......&d..>@..B.3...t.y.......@..._..+....0|.......4.....F.H.....?....b...@./..>...&.....S~.v.o.0...........@.......-..d.......>.......F2 0..y`....$?.........._...}..A.X.$.......y0./..S .h&>..v...._.......`._.*p.).g....0.]... )..?.

                                C:\Users\user\AppData\Local\Temp\aut5110.tmp

                                Download File
                                Process:C:\Users\user\Desktop\ekstre_pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):272384
                                Entropy (8bit):7.859545735138241
                                Encrypted:false
                                SSDEEP:6144:Dvv83GFN62h4GeQk7absfrE2/rLYnecxuqBV9HA2beC:DsikGeoOrd/nNcxVHAgeC
                                MD5:86F20762B6A68FD588A6812A4327EF46
                                SHA1:0F29DBB8CEEF5388DAA4736A6816C93A1B8CB2CE
                                SHA-256:060DB2A188690FF10A0CA52F5F45D187432C339CC1690E9D4F1FDBC65CA67F92
                                SHA-512:3FAD47BF8779E1B55D4CACB2B2265B98BE3A42A36A8CAB7F58364212691025B2807F26810F6F2421279A1918B409DAD758DEAEF8B638E12B87A34A59B88557B2
                                Malicious:false
                                Reputation:low
                                Preview:...1JM7FAIG7..IA.FVH1IM7.EIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FE.G7K9V.LF.A.h.6..h._"Di10)1:P$mT'+'(CkU,a038hX'ms..i*X/RgLOLrH1IM7FE!W.f.8.<j'.Oe<.8wj8ItF.?I..6.8.Ij4.9k:.7sa((T@.3.e,7.F.I{b98{9.7.^%-e6.57IABFVH1IM7FEIG72.$BFVHa.M7.DMGC.7.ABFVH1IM.FfHL6B7I.CFV.3IM7FEf.7K7YABF.I1IMwFEYG7K5IAGFVH1IM7CEIG7K7IA2BVH5IM.}GIE7K.IARFVX1IM7VEIW7K7IABVVH1IM7FEIG7."KA.FVH1)O7BCKG7K7IABFVH1IM7FEIG7K7IABF..0IQ7FEIG7K7IABFVH1IM7FEIG7K7IA.KTHqIM7FEIG7K7IA.GV.0IM7FEIG7K7IABFVH1IM7FEIG7K.=$:2VH1Q.6FEYG7K.HABBVH1IM7FEIG7K7IaBF6fC-,C'EI.ZK7I.CFV&1IM.GEIG7K7IABFVH1.M7.k-&C*7IA.vVH1iO7FSIG7A5IABFVH1IM7FEI.7K.g3145H1II1DEI'5K7ACBFvJ1IM7FEIG7K7IA.FV.1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7

                                C:\Users\user\AppData\Local\Temp\aut5150.tmp

                                Download File
                                Process:C:\Users\user\Desktop\ekstre_pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):12130
                                Entropy (8bit):7.754551036884044
                                Encrypted:false
                                SSDEEP:192:jq8gxVivjhoBzzUUzhQ/IEixKjIpMNRDGHqpdPwEZBAK+GujbNaPfmkAshY4ElER:jYivlmzgUzhQ/IEiRpeSsdPr3SGujbN0
                                MD5:B071209969F3D4A0BEAA47752CAE10AB
                                SHA1:020402DF3BEE77336E772789ADD87B33F3172FE4
                                SHA-256:187BB74C1E41598E6F56A8BDBE88260DCBF43A9BE000A413417487BFC6168C37
                                SHA-512:1A848465ABD10486DCC6C9445B14ED5D8B3F56DCD65B4B85C7639F7C38BDF29AC7058C5B0C0ADA64E6D4B2B6DBC3FFECE2CACE38661C8B709447BFDC48A368B9
                                Malicious:false
                                Reputation:low
                                Preview:EA06.....gxy^.....`4\<_.%.....]..J...,........+4.<X.#.....v..qw.].....d.Z....(r`.p.G...$..h..|.Q..O`...0.H.............O1.....X..d..0....t.w.L.'..x.........=}.0.,............0.....y~.0.0...%@..@.D.....P.#..-4<<x..@x`.o......@..........@...5..A.............9.{........;.#..s.....'.+..s.....N~P.O...=..N.........e~0..D.}....`.!0._..G..:o......xy.0<...@~.......p....Nc..`.s$.C..5 s...$.*... . +....&o..6.g.@....S........&o..%....'? 3o.....}..3_..J...........?.@.....@.....l|......g..=.t..?.6..g..<...4_.!.....,.....Y.8.. ...'..1../..1........h.;..u.!......\.......v.!~A....x..`..h....0.1`'9.....lX<......a4z...1a4<...qa4?..8.A..Y...0&{`.?h.z.9.b.........+......+......".8....w.r..`^.......L."..........d.W.._.d....D>......`."..3..s..q..H.I.a.D|......&d..>@..B.3...t.y.......@..._..+....0|.......4.....F.H.....?....b...@./..>...&.....S~.v.o.0...........@.......-..d.......>.......F2 0..y`....$?.........._...}..A.X.$.......y0./..S .h&>..v...._.......`._.*p.).g....0.]... )..?.

                                C:\Users\user\AppData\Local\Temp\extrorsal

                                Download File
                                Process:C:\Users\user\Desktop\ekstre_pdf.exe
                                File Type:Unicode text, UTF-8 text, with very long lines (29698), with no line terminators
                                Category:dropped
                                Size (bytes):64526
                                Entropy (8bit):3.6790327326553753
                                Encrypted:false
                                SSDEEP:384:6nwQP4ZpI8iw6i8E12K+tMUj4Nze7H3/j65eiSB+um27LJVNx+cr1cicWa02QOr7:1iw601T+V4uPj659SBA27j91ktt4pDQ
                                MD5:1C2856F829B2C91B1BC05B13D2613AC4
                                SHA1:9F1022A5689346E3C1F4C5751839D991A1D0E25C
                                SHA-256:5A036D8BB41618EF45BB07B4CFDDA62A7216C8E3BE7A992D544979FD1D7AB235
                                SHA-512:D77AF6CB26EC6CBDE1EE8A252108191D3D71514D952E3512A92B51E64B9D4EBB45FD97FAE8A3E711019F87AEF6C9254884DBD423981BB7D6F7F9EB095DE4FC77
                                Malicious:false
                                Reputation:low
                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\shrugged

                                Download File
                                Process:C:\Users\user\Desktop\ekstre_pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):272384
                                Entropy (8bit):7.859545735138241
                                Encrypted:false
                                SSDEEP:6144:Dvv83GFN62h4GeQk7absfrE2/rLYnecxuqBV9HA2beC:DsikGeoOrd/nNcxVHAgeC
                                MD5:86F20762B6A68FD588A6812A4327EF46
                                SHA1:0F29DBB8CEEF5388DAA4736A6816C93A1B8CB2CE
                                SHA-256:060DB2A188690FF10A0CA52F5F45D187432C339CC1690E9D4F1FDBC65CA67F92
                                SHA-512:3FAD47BF8779E1B55D4CACB2B2265B98BE3A42A36A8CAB7F58364212691025B2807F26810F6F2421279A1918B409DAD758DEAEF8B638E12B87A34A59B88557B2
                                Malicious:false
                                Reputation:low
                                Preview:...1JM7FAIG7..IA.FVH1IM7.EIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FE.G7K9V.LF.A.h.6..h._"Di10)1:P$mT'+'(CkU,a038hX'ms..i*X/RgLOLrH1IM7FE!W.f.8.<j'.Oe<.8wj8ItF.?I..6.8.Ij4.9k:.7sa((T@.3.e,7.F.I{b98{9.7.^%-e6.57IABFVH1IM7FEIG72.$BFVHa.M7.DMGC.7.ABFVH1IM.FfHL6B7I.CFV.3IM7FEf.7K7YABF.I1IMwFEYG7K5IAGFVH1IM7CEIG7K7IA2BVH5IM.}GIE7K.IARFVX1IM7VEIW7K7IABVVH1IM7FEIG7."KA.FVH1)O7BCKG7K7IABFVH1IM7FEIG7K7IABF..0IQ7FEIG7K7IABFVH1IM7FEIG7K7IA.KTHqIM7FEIG7K7IA.GV.0IM7FEIG7K7IABFVH1IM7FEIG7K.=$:2VH1Q.6FEYG7K.HABBVH1IM7FEIG7K7IaBF6fC-,C'EI.ZK7I.CFV&1IM.GEIG7K7IABFVH1.M7.k-&C*7IA.vVH1iO7FSIG7A5IABFVH1IM7FEI.7K.g3145H1II1DEI'5K7ACBFvJ1IM7FEIG7K7IA.FV.1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7IABFVH1IM7FEIG7K7

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.104096350388749
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:ekstre_pdf.exe
                                File size:1'231'872 bytes
                                MD5:3ca1479d77a23d47a2f01e8ef30a6365
                                SHA1:3850b7445cbf81387f910ebe710d0dbdad33a91e
                                SHA256:074170a0febc20013e9c8cade256a031be328cefc2838f8f6ed394b4caf05b5f
                                SHA512:e0a6704d19c6afa7e77030d15ad731cb6711988a2814a8f8e9f65e9847d760df071b3d348dba1eb853fa4ec1cf53361a86507ad9b843271b25543ff0d17a60f8
                                SSDEEP:24576:WAHnh+eWsN3skA4RV1Hom2KXMmHa+rttp28yuTdWJdV5:xh+ZkldoPK8YaIHQ8yKdCh
                                TLSH:8D459E0E6391B027FE96BD735B65B305467C692401E38C1F1AB42F6C68723F31A2D66B
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                File Icon

                                Icon Hash:8f810a0c0c02000f

                                Static PE Info

                                General

                                Entrypoint:0x42800a
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x65EE91D8 [Mon Mar 11 05:08:40 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:afcdf79be1557326c854b6e20cb900a7

                                Entrypoint Preview

                                Instruction
                                call 00007FED70D452FDh
                                jmp 00007FED70D380B4h
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                push edi
                                push esi
                                mov esi, dword ptr [esp+10h]
                                mov ecx, dword ptr [esp+14h]
                                mov edi, dword ptr [esp+0Ch]
                                mov eax, ecx
                                mov edx, ecx
                                add eax, esi
                                cmp edi, esi
                                jbe 00007FED70D3823Ah
                                cmp edi, eax
                                jc 00007FED70D3859Eh
                                bt dword ptr [004C41FCh], 01h
                                jnc 00007FED70D38239h
                                rep movsb
                                jmp 00007FED70D3854Ch
                                cmp ecx, 00000080h
                                jc 00007FED70D38404h
                                mov eax, edi
                                xor eax, esi
                                test eax, 0000000Fh
                                jne 00007FED70D38240h
                                bt dword ptr [004BF324h], 01h
                                jc 00007FED70D38710h
                                bt dword ptr [004C41FCh], 00000000h
                                jnc 00007FED70D383DDh
                                test edi, 00000003h
                                jne 00007FED70D383EEh
                                test esi, 00000003h
                                jne 00007FED70D383CDh
                                bt edi, 02h
                                jnc 00007FED70D3823Fh
                                mov eax, dword ptr [esi]
                                sub ecx, 04h
                                lea esi, dword ptr [esi+04h]
                                mov dword ptr [edi], eax
                                lea edi, dword ptr [edi+04h]
                                bt edi, 03h
                                jnc 00007FED70D38243h
                                movq xmm1, qword ptr [esi]
                                sub ecx, 08h
                                lea esi, dword ptr [esi+08h]
                                movq qword ptr [edi], xmm1
                                lea edi, dword ptr [edi+08h]
                                test esi, 00000007h
                                je 00007FED70D38295h
                                bt esi, 03h

                                Rich Headers

                                Programming Language:
                                • [ASM] VS2013 build 21005
                                • [ C ] VS2013 build 21005
                                • [C++] VS2013 build 21005
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [ASM] VS2013 UPD5 build 40629
                                • [RES] VS2013 build 21005
                                • [LNK] VS2013 UPD5 build 40629

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x62490.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x12b0000x7134.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0xc80000x624900x62600f48d50c5c6b0d75d0f368ba8cce24173False0.8260031170584498data7.678995562604882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x12b0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xc84580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                RT_ICON0xc85800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                RT_ICON0xc86a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                RT_ICON0xc87d00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/mEnglishGreat Britain0.08508813439015735
                                RT_MENU0xd8ff80x50dataEnglishGreat Britain0.9
                                RT_STRING0xd90480x594dataEnglishGreat Britain0.3333333333333333
                                RT_STRING0xd95dc0x68adataEnglishGreat Britain0.2747909199522103
                                RT_STRING0xd9c680x490dataEnglishGreat Britain0.3715753424657534
                                RT_STRING0xda0f80x5fcdataEnglishGreat Britain0.3087467362924282
                                RT_STRING0xda6f40x65cdataEnglishGreat Britain0.34336609336609336
                                RT_STRING0xdad500x466dataEnglishGreat Britain0.3605683836589698
                                RT_STRING0xdb1b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                RT_RCDATA0xdb3100x4ec62data1.0003285212206112
                                RT_GROUP_ICON0x129f740x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0x129f880x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0x129f9c0x14dataEnglishGreat Britain1.15
                                RT_GROUP_ICON0x129fb00x14dataEnglishGreat Britain1.25
                                RT_VERSION0x129fc40xdcdataEnglishGreat Britain0.6181818181818182
                                RT_MANIFEST0x12a0a00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                Imports

                                DLLImport
                                WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                PSAPI.DLLGetProcessMemoryInfo
                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                UxTheme.dllIsThemeActive
                                KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishGreat Britain

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Mar 18, 2024 14:38:16.200279951 CET49705443192.168.2.10104.26.13.205
                                Mar 18, 2024 14:38:16.200326920 CET44349705104.26.13.205192.168.2.10
                                Mar 18, 2024 14:38:16.200395107 CET49705443192.168.2.10104.26.13.205
                                Mar 18, 2024 14:38:16.207778931 CET49705443192.168.2.10104.26.13.205
                                Mar 18, 2024 14:38:16.207794905 CET44349705104.26.13.205192.168.2.10
                                Mar 18, 2024 14:38:16.697460890 CET44349705104.26.13.205192.168.2.10
                                Mar 18, 2024 14:38:16.697531939 CET49705443192.168.2.10104.26.13.205
                                Mar 18, 2024 14:38:16.704694986 CET49705443192.168.2.10104.26.13.205
                                Mar 18, 2024 14:38:16.704705954 CET44349705104.26.13.205192.168.2.10
                                Mar 18, 2024 14:38:16.705066919 CET44349705104.26.13.205192.168.2.10
                                Mar 18, 2024 14:38:16.758382082 CET49705443192.168.2.10104.26.13.205
                                Mar 18, 2024 14:38:16.797796011 CET49705443192.168.2.10104.26.13.205
                                Mar 18, 2024 14:38:16.840257883 CET44349705104.26.13.205192.168.2.10
                                Mar 18, 2024 14:38:16.947334051 CET44349705104.26.13.205192.168.2.10
                                Mar 18, 2024 14:38:16.947393894 CET44349705104.26.13.205192.168.2.10
                                Mar 18, 2024 14:38:16.947462082 CET49705443192.168.2.10104.26.13.205
                                Mar 18, 2024 14:38:16.957444906 CET49705443192.168.2.10104.26.13.205
                                Mar 18, 2024 14:38:17.764277935 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:17.857971907 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:17.858089924 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:17.960880041 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:17.961116076 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:18.054724932 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.065263987 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.065450907 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:18.171900034 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.174242973 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.176487923 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:18.271018028 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.271048069 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.271064997 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.271081924 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.271119118 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:18.271155119 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:18.276391983 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:18.370294094 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.387685061 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:18.485836983 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.488778114 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.489892960 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:18.589489937 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.592106104 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.593317986 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:18.691898108 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:18.996740103 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.002181053 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:19.095854044 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.103332043 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.103883982 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:19.202835083 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.205625057 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.205914974 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:19.303831100 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.413685083 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.414422035 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:19.414526939 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:19.414561033 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:19.414649010 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:19.508281946 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.508299112 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.508311033 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.508322954 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:19.960457087 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.008423090 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.027901888 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.122051954 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.129847050 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.129990101 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.130069017 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.130814075 CET49706587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.132266045 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.223974943 CET58749706142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.225786924 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.225934982 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.328972101 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.329266071 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.422780037 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.434242964 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.434456110 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.533843040 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.536468029 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.536967039 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.631153107 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.632222891 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.632677078 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.727183104 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.734679937 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.735131025 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.833817005 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.836357117 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:20.836811066 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:20.934700012 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.057145119 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.057471037 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.150875092 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.158360004 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.158621073 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.256759882 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.259572029 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.259855032 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.357733011 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.435241938 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.460431099 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.460432053 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.460467100 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.460524082 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.460601091 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.460665941 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.460731983 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.460758924 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.460840940 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.460872889 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:21.553797007 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.553883076 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.553936005 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.554430008 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.554505110 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.554516077 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.554565907 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:21.554625034 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.016396046 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.038947105 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.132625103 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.140165091 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.140249014 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.140296936 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.141777992 CET49707587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.143964052 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.234944105 CET58749707142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.237473011 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.237551928 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.340764999 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.341057062 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.434554100 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.444298983 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.444597960 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.543034077 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.545568943 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.545991898 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.640388012 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.641417027 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.642008066 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.735610008 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.742985010 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.743313074 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.842068911 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.845484018 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:22.845897913 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:22.944149017 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.053354979 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.053755999 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:23.147227049 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.154854059 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.155167103 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:23.253071070 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.255955935 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.256237030 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:23.355074883 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.493453979 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.493855000 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:23.494570017 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:23.494613886 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:23.494647980 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:38:23.587018967 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.587687969 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.587702990 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.587860107 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:23.984910965 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:38:24.039673090 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:45.804239035 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:45.897763968 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:45.905221939 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:45.905275106 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:45.905333042 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:45.908396006 CET49708587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:45.920056105 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:46.002295017 CET58749708142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.013529062 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.013609886 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:46.115294933 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.115587950 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:46.208354950 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.220057011 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.224020958 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:46.321235895 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.324028969 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.324409962 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:46.418317080 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.419372082 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:46.422861099 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:46.515780926 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.522968054 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.523226976 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:46.620112896 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.623442888 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.623817921 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:46.721201897 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.836390972 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.838406086 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:46.931061029 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.938446045 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:46.942210913 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.038990974 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.042254925 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.046206951 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.144074917 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.221947908 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.222351074 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.222420931 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.222510099 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.222570896 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.223885059 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.315028906 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.315080881 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.315108061 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.315176010 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.315269947 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.315323114 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.316821098 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.316875935 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.316931963 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.316996098 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.317082882 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.317136049 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.317146063 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.317202091 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.317250967 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.317370892 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.317522049 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.317575932 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.317645073 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.322005987 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.408237934 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.408329964 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.408497095 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.409627914 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.409676075 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.409732103 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.409884930 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.409990072 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.410059929 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.410171986 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.410195112 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.410218000 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.410315990 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.410347939 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.410414934 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.410475969 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.410489082 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.410550117 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.410594940 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.410614014 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.410654068 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.410790920 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.411137104 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.411209106 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.411324024 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.411403894 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.414015055 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.414678097 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.414727926 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.414783001 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.505057096 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505155087 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505179882 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505292892 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.505311012 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505372047 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.505378008 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505419016 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505435944 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.505471945 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505536079 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505556107 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.505633116 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505743027 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505810976 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505846977 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.505985975 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:47.505996943 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.506028891 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.506073952 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.507287025 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.507611990 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.507631063 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.507750988 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.507821083 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.507997036 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.508096933 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.508289099 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.508409023 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.509253979 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.509476900 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.509646893 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.509867907 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.510009050 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.510140896 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.510202885 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.510282040 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.510369062 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.510510921 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.510792971 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.510849953 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.511096001 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.511123896 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.511298895 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.511311054 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.598598003 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.598623037 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.598635912 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.598669052 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.598753929 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.598812103 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.599364042 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.599431992 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.599490881 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.599545002 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.599558115 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.599569082 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.599594116 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:47.599634886 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:50.165994883 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:50.399046898 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:50.465928078 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:50.466000080 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:51.710727930 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:51.803509951 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:51.810822964 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:51.810925007 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:51.811013937 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:51.811537981 CET49715587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:51.818032026 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:51.905441046 CET58749715142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:51.911231995 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:51.911333084 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:52.014266968 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.014594078 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:52.108314991 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.138186932 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.138345957 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:52.237340927 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.239356041 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.239805937 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:52.334220886 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.335139036 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:52.335551977 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:52.429368019 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.436795950 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.437011957 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:52.535414934 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.538288116 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.539041042 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:52.637320995 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.745028019 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.745297909 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:52.839073896 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.846626043 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.848860979 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:52.947410107 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.950807095 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:52.952609062 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.051420927 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.135862112 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.136693001 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.136750937 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.136854887 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.136915922 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.138350964 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.230804920 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.230834007 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.230845928 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.230859041 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.230911016 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.230937004 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.232426882 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.232482910 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.232548952 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.232568026 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.232599020 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.232635021 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.232659101 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.232666016 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.232726097 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.232744932 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.232772112 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.232817888 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.233375072 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.233422041 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.233509064 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.233685970 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.324589968 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.324697971 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.324794054 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.326519012 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.326544046 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.326571941 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.326596022 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.326611042 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.326817036 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.326832056 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.326865911 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.326880932 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.326904058 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.326934099 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.326978922 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.327028990 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327095985 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327127934 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327146053 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.327182055 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.327326059 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327477932 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327491045 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327521086 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327533007 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.327562094 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.327565908 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327573061 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.327579975 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327641010 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327653885 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.327691078 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.327711105 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.418421984 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.418448925 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.418461084 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.418473005 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.418562889 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.418617010 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.420136929 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420156002 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420182943 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420190096 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.420232058 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:53.420294046 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420305014 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420357943 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420383930 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420465946 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420603991 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420677900 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420731068 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420819998 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420872927 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420892954 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420905113 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420916080 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.420960903 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421013117 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421024084 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421053886 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421166897 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421179056 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421217918 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421237946 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421257973 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421305895 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421319008 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421329975 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421401978 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421416044 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421485901 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421499014 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421510935 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421624899 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421637058 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.421648026 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.512465954 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.512501001 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.512527943 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.512623072 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.512690067 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.512725115 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.512845039 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.512867928 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.513849974 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.513988018 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.514066935 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.514149904 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:53.514259100 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:54.505815029 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:54.695944071 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.004796028 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.098680019 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.106009007 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.106038094 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.106125116 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.106508970 CET49716587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.107903004 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.199477911 CET58749716142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.202287912 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.202363014 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.473494053 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.473651886 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.569766998 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.579546928 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.579721928 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.679514885 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.680897951 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.681301117 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.776298046 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.777070045 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.777458906 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.871109962 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.879046917 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.881414890 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:56.979434013 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.982640028 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:56.986293077 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.084445953 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.199866056 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.202547073 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.296318054 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.303888083 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.304091930 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.402437925 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.405481100 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.405682087 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.504518032 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.583610058 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.586627007 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.586700916 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.586776972 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.586842060 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.588278055 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.680479050 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.680541992 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.680574894 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.680605888 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.680704117 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.682008028 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.682060003 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.682133913 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.682298899 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.682394981 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.682425976 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.682459116 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.682480097 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.682518959 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.682533979 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.682564974 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.682596922 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.682646036 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.682646036 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.774655104 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.774683952 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.774774075 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.775795937 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.775932074 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776106119 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776118040 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.776149035 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.776284933 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776330948 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.776369095 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776427984 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776483059 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.776501894 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776555061 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776580095 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776603937 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.776623964 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.776637077 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776680946 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.776747942 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776879072 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.776926994 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.776982069 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.777235985 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.777293921 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.777508974 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.777522087 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.777573109 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.777575970 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.777760983 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.777811050 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.869153976 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.869205952 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.869271994 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.869296074 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.869329929 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.869330883 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.869369030 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.869390011 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.870063066 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870117903 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.870177984 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870232105 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:39:57.870265961 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870300055 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870341063 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870353937 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870445013 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870485067 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870567083 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870677948 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870722055 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870773077 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870837927 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870886087 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.870971918 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871052980 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871088028 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871154070 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871201038 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871260881 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871295929 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871385098 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871721983 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871783018 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871824980 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871908903 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.871983051 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.872112989 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.872138977 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.872229099 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.872267962 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.872301102 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.872335911 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.872385979 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.872453928 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.872504950 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.963283062 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.963346958 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.963382959 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.963534117 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.963587046 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.963766098 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.963934898 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.963968039 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.964400053 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.964453936 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.964534998 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.964628935 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:57.964662075 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:58.482465982 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:39:58.524029970 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:13.975414038 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.069262028 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.076610088 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.076643944 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.076719999 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.077143908 CET49717587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.078392982 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.170308113 CET58749717142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.172326088 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.172437906 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.275671959 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.275885105 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.370732069 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.381165028 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.381474972 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.480731964 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.483047962 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.487476110 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.581999063 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.582904100 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.583264112 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.677191973 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.684721947 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.685024977 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.783601046 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.786755085 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.787178040 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:14.887502909 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.997205019 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:14.997467041 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.091577053 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.099296093 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.099576950 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.198558092 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.201060057 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.201281071 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.300482035 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.386790991 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.387150049 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.387223005 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.387268066 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.387337923 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.388839960 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.481364965 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.481390953 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.481410980 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.481420994 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.481441021 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.481476068 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.483023882 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.483042955 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.483052969 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.483063936 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.483073950 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.483074903 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.483088970 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.483100891 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.483133078 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.483223915 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.483270884 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.483300924 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.483313084 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.483345985 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.483359098 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.575378895 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.575397968 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.575450897 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.575500965 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.576921940 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.576973915 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577020884 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577070951 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577095032 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577128887 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577145100 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577178001 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577229023 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577270985 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577359915 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577403069 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577505112 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577547073 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577604055 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577656031 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577666044 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577678919 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577694893 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577713013 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577734947 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577744961 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577781916 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577795029 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577830076 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577847004 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577858925 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577902079 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.577946901 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.577987909 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.578066111 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.578109980 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.578170061 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.578233957 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.578310013 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.578352928 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.669476986 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.669502974 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.669548035 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.669574022 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.669636011 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.669665098 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.669713020 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.670809984 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.670857906 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.670908928 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.670958996 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:15.671017885 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.671093941 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.671206951 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.671333075 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.671540022 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.671828985 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.671907902 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.671952009 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.672175884 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.672641993 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.672667980 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.672739983 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.672801018 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.672858000 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.672899008 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.672947884 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.673012018 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.673024893 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.673069954 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.673120022 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.673135042 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.673190117 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.673304081 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.673785925 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.674197912 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.674262047 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.674350023 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.674396992 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.674485922 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.674568892 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.674609900 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.674768925 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.674832106 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.674900055 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.763545990 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.763564110 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.763575077 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.763689041 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.763842106 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.763978958 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.764028072 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.764065027 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.764822006 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.764919996 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.764995098 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.765058994 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:15.765130997 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:16.438291073 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:16.524066925 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.003390074 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.097362995 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.111828089 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.111984968 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.112057924 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.112981081 CET49718587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.114285946 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.206207037 CET58749718142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.208677053 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.208745956 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.311872005 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.331300974 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.425924063 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.436319113 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.436467886 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.535882950 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.538268089 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.539696932 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.636600018 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.637861013 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.689584970 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.736845016 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.784266949 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.791435957 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.791670084 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:20.890815020 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:20.893172026 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:21.024068117 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:21.152865887 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:21.251914024 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:21.360451937 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:21.378766060 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:21.473118067 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:21.480503082 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:21.493336916 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:21.592849970 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:21.594939947 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:21.727229118 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.202678919 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.302047014 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.379442930 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.379863977 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.379894018 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.379935026 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.380007029 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.387676001 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.474670887 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.474838972 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.475702047 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.476281881 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.477044106 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.477127075 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.482353926 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.482498884 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.482614994 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.482659101 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.482794046 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.482808113 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.482834101 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.482841969 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.482848883 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.482870102 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.482887030 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.482945919 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.482992887 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.483023882 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.483066082 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.483068943 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.483117104 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.569926023 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.570066929 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.571647882 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.571698904 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.576944113 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.576987028 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577009916 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577044964 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577059984 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577071905 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577081919 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577091932 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577104092 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577130079 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577145100 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577159882 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577188015 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577210903 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577250004 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577326059 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577358961 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577373028 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577395916 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577442884 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577461958 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577481985 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577491999 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577500105 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577680111 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577718019 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577749014 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577788115 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577862978 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577903032 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.577946901 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577958107 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.577992916 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.578125954 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.578167915 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.665777922 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.665797949 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.665936947 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.666194916 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.666239023 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.666412115 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.666460991 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.671677113 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.671690941 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.671701908 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.671741009 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.671753883 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.671766043 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.671778917 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:23.671921015 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672015905 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672230005 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672259092 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672313929 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672326088 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672337055 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672355890 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672435045 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672480106 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672614098 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672728062 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672857046 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.672972918 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673021078 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673079967 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673193932 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673213005 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673263073 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673321009 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673474073 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673513889 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673556089 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673719883 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673763037 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673800945 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673846006 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673934937 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.673947096 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.674015999 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.760400057 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.760415077 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.760426044 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.760453939 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.760466099 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.760535955 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.760704994 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.760723114 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.766010046 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.766043901 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.766118050 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.766129971 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:23.766140938 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:24.369543076 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:24.414746046 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:26.566442013 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:26.660727024 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:26.667948008 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:26.668245077 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:26.668322086 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:26.668462038 CET49719587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:26.669687033 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:26.762371063 CET58749719142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:26.763747931 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:26.763813019 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:26.866837025 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:26.867044926 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:26.961302042 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:26.971752882 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:26.971927881 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.070312977 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.073460102 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.073839903 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.168292046 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.169276953 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.171155930 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.265171051 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.272707939 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.272934914 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.371196985 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.374398947 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.375288010 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.474705935 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.589910030 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.590140104 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.684123039 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.691629887 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.691864014 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.790426016 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.793487072 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.793976068 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.892422915 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.974853992 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:27.978348970 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.978431940 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.978494883 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.978583097 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:27.980370998 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.072524071 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.072542906 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.072643042 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.072699070 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.072730064 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.072771072 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.074377060 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.074454069 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.074529886 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.074541092 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.074743986 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.074794054 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.074826002 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.074897051 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.074939966 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.074958086 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.074985981 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.074992895 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.075217962 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.075258970 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.167012930 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.167218924 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.167392015 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.168600082 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.168675900 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.169048071 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.169312954 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.169394970 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.169507027 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.169594049 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.169677973 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.169774055 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.170021057 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.170083046 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.170142889 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.170178890 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.170192957 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.170202971 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.170209885 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.170279980 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.170387030 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.170536995 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.170613050 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.175122023 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.178036928 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.261466980 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.261662006 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.261734962 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.262676001 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.263617039 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.263701916 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:28.263771057 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.263869047 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.263922930 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.264472008 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.264611006 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.264622927 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.264841080 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.264951944 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.265202045 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.265300035 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.265358925 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.265371084 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.265465975 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.265685081 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.265824080 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.265866041 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.265959978 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.266000032 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.266330004 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.266376019 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.266798973 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.266866922 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.267256021 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.272130013 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.272445917 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.355868101 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.355942965 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.356085062 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.356164932 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.356232882 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.356286049 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.356323957 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.356462955 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.357621908 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.357681990 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.357753038 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.357846975 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:28.357955933 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:29.180840969 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:29.227197886 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:31.610467911 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:31.704900980 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:31.712549925 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:31.713030100 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:31.713047981 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:31.713113070 CET49720587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:31.803615093 CET49721587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:31.807471037 CET58749720142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:31.898283005 CET58749721142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:31.898408890 CET49721587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:31.946259975 CET49721587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.003166914 CET58749721142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.003228903 CET49721587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.012101889 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.041232109 CET58749721142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.041299105 CET49721587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.048224926 CET58749721142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.048293114 CET49721587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.106579065 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.106682062 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.247478008 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.247662067 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.341840029 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.369478941 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.369676113 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.469623089 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.472831964 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.473207951 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.568633080 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.569607019 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.572153091 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.665954113 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.673492908 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.673762083 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.772264957 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.775058985 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.775480032 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:32.874294996 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.991553068 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:32.993587971 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.087475061 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.095302105 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.097930908 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.196398973 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.199440002 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.199709892 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.298355103 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.570385933 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.574352026 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.574410915 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.574446917 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.574505091 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.575778961 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.669595003 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.669635057 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.669680119 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.669789076 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.669882059 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.669943094 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.671320915 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.671356916 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.671456099 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.671490908 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.671498060 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.671498060 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.671524048 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.671571970 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.671602964 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.671636105 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.671653032 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.671683073 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.671685934 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.671734095 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.671824932 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.674011946 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.763721943 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.763776064 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.763900042 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.765371084 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.765465021 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.765541077 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.765732050 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.765816927 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.765880108 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.765969992 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766006947 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766042948 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766063929 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.766103029 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.766161919 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766275883 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766307116 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766330957 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.766357899 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.766423941 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766457081 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766473055 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.766505003 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.766505957 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766541004 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766588926 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766591072 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.766664028 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.766712904 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.766721010 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.767931938 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.767968893 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.768023968 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.858069897 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.858115911 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.858181953 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.858365059 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.858401060 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.858453035 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.859586954 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.859688997 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.859800100 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.859833002 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.859893084 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:40:33.859908104 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.860244036 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.860276937 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.860464096 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.860594034 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.860682011 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.860871077 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.860976934 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861051083 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861176968 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861335039 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861531973 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861629009 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861706972 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861782074 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861885071 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861918926 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861949921 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.861982107 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862062931 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862095118 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862124920 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862185001 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862271070 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862303972 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862337112 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862368107 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862464905 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862497091 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862540960 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862574100 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862606049 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.862637997 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.952174902 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.952198029 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.952210903 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.952418089 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.952465057 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.952703953 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.952732086 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.952755928 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.953706980 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.953779936 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.953830957 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.953843117 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:33.953866005 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:34.612044096 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:40:34.664691925 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.332636118 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.333720922 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.426536083 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.428045034 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.428119898 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.434026003 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.434132099 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.434178114 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.435264111 CET49722587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.529480934 CET58749722142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.531019926 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.531146049 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.626312971 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.636401892 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.636550903 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.736058950 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.738727093 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.739197016 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.834603071 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.836519957 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.839447021 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:13.935611010 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.942167044 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:13.942555904 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.043220043 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.045779943 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.046134949 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.149204016 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.275144100 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.275484085 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.369941950 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.377806902 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.386383057 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.486246109 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.489861012 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.492697001 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.592051983 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.667341948 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.668384075 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.668418884 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.668504000 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.668559074 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.669888973 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.762784004 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.762810946 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.762823105 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.762865067 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.762872934 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.762911081 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.764127016 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.764142990 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.764199018 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.764292002 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.764303923 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.764349937 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.764369965 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.764503956 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.764539957 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.764548063 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.764558077 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.764592886 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.764600992 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.764604092 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.770015001 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.857330084 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.857387066 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.857637882 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.858618975 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.858761072 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.858795881 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.858839989 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.858843088 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.858865976 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.858897924 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.859126091 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859175920 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.859200954 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859234095 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859287977 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.859307051 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859379053 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859414101 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859430075 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.859451056 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.859529018 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859625101 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859664917 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859674931 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.859711885 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.859757900 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859805107 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.859865904 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.859879017 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.860069990 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.864664078 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.864700079 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.864773035 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.951984882 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.952020884 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.952150106 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.952265978 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.952342033 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.952394009 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:14.953197002 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953289032 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953305960 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953373909 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953488111 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953499079 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953555107 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953596115 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953646898 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953716993 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953938961 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.953985929 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954044104 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954145908 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954298973 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954415083 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954484940 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954495907 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954556942 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954617977 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954673052 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954811096 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.954870939 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.955063105 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.955132008 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.955173016 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.955234051 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.955373049 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.955387115 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.955460072 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.955491066 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.955535889 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.959245920 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.959270954 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.959281921 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:14.959297895 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.035247087 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:15.035335064 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:15.035391092 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:15.035448074 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:15.046504974 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.046595097 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.046633959 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.046751022 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.046787024 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.046818972 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.046869993 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.047077894 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.129770994 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.129793882 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.129962921 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.130024910 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.130171061 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.130239964 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.130276918 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.130345106 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.793627977 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:15.837970018 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.002726078 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.097167969 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.104439020 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.104530096 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.104583025 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.105374098 CET49723587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.107625961 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.199541092 CET58749723142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.201523066 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.201613903 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.304132938 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.304306030 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.398305893 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.408921957 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.409216881 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.508302927 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.510493994 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.510858059 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.606906891 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.607924938 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.609760046 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.703380108 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.711117029 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.711471081 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.810229063 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.813344955 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:21.813688993 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:21.912321091 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.024036884 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.025088072 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.119316101 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.126801014 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.127069950 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.226264954 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.229434967 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.229706049 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.334078074 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.411096096 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.411591053 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.411591053 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.411649942 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.411649942 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.412969112 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.505681992 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.505709887 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.505727053 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.505739927 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.505944967 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.506988049 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.507004023 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.507092953 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.507230997 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.507247925 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.507266045 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.507333994 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.507333994 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.507432938 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.507441998 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.507446051 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.507500887 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.507539034 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.507580042 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.600728989 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.600750923 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.600919962 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.601325989 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.601399899 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.601453066 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.601511002 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.601541042 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.601803064 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.601855040 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.601871014 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.601927042 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.601933002 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.601959944 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602003098 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.602008104 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602080107 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602107048 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.602119923 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.602158070 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.602183104 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602195978 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602276087 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.602294922 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602339029 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602375984 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602380991 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.602418900 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602442980 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.602463961 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602518082 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602541924 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.602552891 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.602627039 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.695267916 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.695291042 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.695405960 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.695528030 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.695565939 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.695630074 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.695672035 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.695684910 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.695694923 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.695728064 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.695749998 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:22.695930958 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.695944071 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.695988894 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.696110964 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.696261883 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.696274042 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.696628094 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.696810961 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.696913958 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.696924925 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.696976900 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697005987 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697098017 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697221041 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697237968 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697283030 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697386980 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697432995 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697443962 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697798014 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697876930 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.697947025 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698057890 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698091030 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698201895 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698318005 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698338032 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698373079 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698429108 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698496103 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698592901 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698657036 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.698669910 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.789561987 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.789634943 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790004015 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790047884 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790119886 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790190935 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790241957 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790301085 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790384054 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790426970 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790518045 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790581942 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:22.790811062 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:23.603774071 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:23.743009090 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.195405960 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.289446115 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.296972990 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.297055006 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.297244072 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.297565937 CET49724587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.298775911 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.391442060 CET58749724142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.392278910 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.392417908 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.494920015 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.495101929 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.588610888 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.598723888 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.599104881 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.697371006 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.700109959 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.700470924 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.794795990 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.796752930 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.798491001 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:38.892060995 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.899580956 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:38.899822950 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:39.000119925 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:39.002626896 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:39.002942085 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:39.101525068 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:39.215420008 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:39.215651035 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:39.309169054 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:39.316842079 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:39.317080021 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:39.415709019 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:39.418298960 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:39.418495893 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:39.516587019 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:39.959733963 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:39.960077047 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:39.960118055 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:39.960180044 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:39.960246086 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:39.961659908 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.053751945 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.053767920 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.053780079 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.053791046 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.053924084 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.053972006 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.055134058 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.055165052 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.055201054 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.055233955 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.055305004 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.055320024 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.055368900 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.055393934 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.055422068 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.055471897 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.055628061 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.055671930 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.055744886 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.055746078 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.057992935 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.147707939 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.147726059 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.147875071 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.148591042 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.148638964 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.148675919 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.148735046 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.148797989 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.148840904 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.148884058 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.148935080 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149055004 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149108887 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149122000 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.149158001 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.149205923 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149257898 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149307966 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.149364948 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149414062 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149458885 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.149466991 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149565935 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149620056 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.149636984 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149688005 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149738073 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.149785995 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.149985075 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.151377916 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.151453018 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.151508093 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.241462946 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.241513014 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.241612911 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.241610050 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.241626024 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.241687059 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.242100954 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.242196083 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.242207050 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.242273092 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.242588043 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.242599964 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.242856026 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.242932081 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:40.243048906 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.243756056 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.243792057 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.243927956 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.244102001 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.244353056 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.244469881 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.244796991 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.244853973 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.244973898 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.245024920 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.245145082 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.245156050 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.245296001 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.245335102 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.245512009 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.245924950 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.245935917 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.246098995 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.246109962 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.246434927 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.246445894 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.246665001 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335194111 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335212946 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335222960 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335232019 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335244894 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335256100 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335283041 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335535049 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335546017 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335562944 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335628986 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.335639954 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.336287022 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.854053974 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:40.899108887 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:47.858771086 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:47.952461958 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:47.959780931 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:47.959888935 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:47.959960938 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:47.960287094 CET49725587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:47.961826086 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:48.054626942 CET58749725142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.055447102 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.055535078 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:48.159050941 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.159261942 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:48.253364086 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.263358116 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.263699055 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:48.362838030 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.365295887 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.365689993 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:48.460635900 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.462819099 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:48.466736078 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:48.560647964 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.568192959 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.568413019 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:48.667860031 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.670310974 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.670804024 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:48.769840956 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.880331039 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.880592108 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:48.974596977 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.981998920 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:48.982250929 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.081836939 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.083873987 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.084170103 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.183949947 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.261260986 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.261610031 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.261698008 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.261765957 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.261949062 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.263241053 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.355751991 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.355794907 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.355827093 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.355842113 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.355859041 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.355909109 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.357444048 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.357567072 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.357625961 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.357659101 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.357779980 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.357811928 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.357842922 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.357846975 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.357875109 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.357892036 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.357922077 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.357991934 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.358025074 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.358078957 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.450021982 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.450081110 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.450217962 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.451761007 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.451838017 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.451857090 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.451891899 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.451961040 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.452358007 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.452393055 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.452425003 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.452472925 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.452485085 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.452543974 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.452650070 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.452790022 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.452800035 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.452832937 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.452869892 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.452888012 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.452914953 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.452939987 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.452948093 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.452963114 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.452985048 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.453001022 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.453017950 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.453051090 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.453083038 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.453088045 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.453102112 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.453120947 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.453150988 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.453177929 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.545238972 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.545289040 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.545325041 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.545377016 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.545413971 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.545586109 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.546710968 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.546745062 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.546786070 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.546813965 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.546842098 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.546892881 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.546967983 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.547101021 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.547281981 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.547394037 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.547483921 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.547533035 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.547983885 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548016071 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548074961 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548243999 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548276901 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548366070 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548450947 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548513889 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548598051 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548683882 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548790932 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548830986 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548899889 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.548955917 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549001932 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549034119 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549113989 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549145937 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549230099 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549261093 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549335957 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549386978 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549647093 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549683094 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549714088 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.549745083 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.639642000 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.639764071 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.639796972 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.639878035 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.639914036 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.639946938 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.640892982 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.640928030 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.640959024 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.641064882 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.641252995 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.641396999 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.641441107 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:49.915118933 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:49.968732119 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:50.014987946 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.062402964 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.064878941 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:50.166471958 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.166745901 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:50.260355949 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.270610094 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.270915031 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:50.317686081 CET58749726142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.317809105 CET49726587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:50.368922949 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.371262074 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.385668993 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:50.480602026 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.503673077 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:50.505381107 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:50.598736048 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.605794907 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.606057882 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:50.704092979 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.707046032 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.707484007 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:50.806057930 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.923744917 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:50.977250099 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:51.030226946 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:51.123606920 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:51.131465912 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:51.132347107 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:51.230138063 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:51.233441114 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:51.234127998 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:51.332149029 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:51.407378912 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:51.461621046 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:52.917162895 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:52.917196035 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:52.917248011 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:52.917325974 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:52.918773890 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.011451960 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.011476040 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.011487961 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.011501074 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.011559010 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.012444019 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.013181925 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.013223886 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.013247013 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.013264894 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.013264894 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.013406038 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.013438940 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.013457060 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.013483047 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.013520956 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.013561964 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.013571024 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.013601065 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.013602018 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.013641119 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.013755083 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.013797998 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.013812065 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.013843060 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.104862928 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.104945898 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.105575085 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.105634928 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.106576920 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.106587887 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.106641054 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.106657982 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.106767893 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.106817961 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.106880903 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.106926918 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.107119083 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.107167006 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.107310057 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.107321024 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.107383966 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.107479095 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.107532024 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.107579947 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.107599020 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.107629061 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.107646942 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.107669115 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.107680082 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.107712030 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.107736111 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.107745886 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.107789040 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.107983112 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.108028889 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.108082056 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.108131886 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.108134031 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.108146906 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.108176947 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.108187914 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.108196974 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.108237028 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.198393106 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.198420048 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.198587894 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.199071884 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.199115992 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.199145079 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.199191093 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.200499058 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.200546026 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.201153994 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.201206923 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.201281071 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.201622009 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.201992035 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.202137947 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.202316046 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.202366114 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.202378035 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.202450037 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.202555895 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.202826023 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203058958 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203118086 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203156948 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203253984 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203344107 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203386068 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203428984 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203442097 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203522921 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203552008 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203591108 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203627110 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203666925 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203712940 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203865051 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.203979969 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.204018116 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.204082966 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.204189062 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.204263926 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.204303980 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.204365015 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.204570055 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.204658985 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.292171001 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.292191029 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.292275906 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.292288065 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.292299032 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.292388916 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.292659998 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.292678118 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.293838978 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.293924093 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.294384956 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.294436932 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.294567108 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.446571112 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.516999960 CET49728587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.545080900 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.610069036 CET58749728142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.610239983 CET49728587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.712080002 CET58749728142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.712244034 CET49728587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.805454969 CET58749728142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.815228939 CET58749728142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.815510988 CET49728587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.913479090 CET58749728142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.915749073 CET58749728142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.918823957 CET49728587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:53.945477009 CET58749727142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:53.945528984 CET49727587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.011941910 CET58749728142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.012054920 CET49728587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.032027006 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.126396894 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.126499891 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.229216099 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.229365110 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.323136091 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.334031105 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.334218025 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.432753086 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.435359001 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.435825109 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.530034065 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.530874968 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.532634020 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.625976086 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.633400917 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.633805037 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.731794119 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.734904051 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:54.736970901 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:54.834778070 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.087240934 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.104969025 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.105040073 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.165527105 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.185780048 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.185858011 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.188414097 CET58749729142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.188483000 CET49729587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.259557962 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.259643078 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.566062927 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.568305969 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.670653105 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.674190044 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.769793034 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.780298948 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.782191038 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.881918907 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.883618116 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.886764050 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.981112957 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:55.981916904 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:55.983851910 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.077301979 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.084759951 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.085236073 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.183655024 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.185923100 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.186249018 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.285044909 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.394814014 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.395137072 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.489509106 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.496246099 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.496517897 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.597806931 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.599930048 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.600509882 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.698966026 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.784769058 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.785128117 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.785954952 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.785999060 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.786067009 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.787270069 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.878897905 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.879159927 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.879518986 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.879573107 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.879591942 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.879688978 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.880705118 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.880773067 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.880804062 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.880877018 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.880920887 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.880996943 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.881053925 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.881120920 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.881201029 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.881270885 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.881347895 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.881414890 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.881438017 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.881504059 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.881555080 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.881603956 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.881623030 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.881673098 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.972497940 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.972757101 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.972759962 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.972826004 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.973875999 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.973954916 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.974059105 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.974282980 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.974349976 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.974426985 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.974574089 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.974646091 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.974822998 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.974869013 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.974888086 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.974937916 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.974992990 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.975071907 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.975133896 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.975212097 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.975703955 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.975723982 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.975769997 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.975816965 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.975831985 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.975882053 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.975893974 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.975949049 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.976020098 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.976073980 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.976089954 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.976151943 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.976155996 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.976228952 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.976273060 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.976351976 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.976382971 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.976447105 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:56.976502895 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:56.976566076 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:57.065987110 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.066040993 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.066095114 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.066246986 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:57.066308975 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:57.066360950 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.066437006 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:57.067260027 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.067362070 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:57.067384005 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.067473888 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:41:57.067632914 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.067866087 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.067883968 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.068084955 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.068404913 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.068471909 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.068542957 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.068794012 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.068952084 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.069169998 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.069541931 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.069606066 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.069753885 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.069787979 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.069998980 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070069075 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070122004 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070405006 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070485115 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070498943 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070549965 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070560932 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070586920 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070633888 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070683956 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070764065 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.070919037 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.071014881 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.071134090 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.071479082 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.071646929 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.071758032 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.072135925 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.072205067 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.159797907 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.159821033 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.160185099 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.160290003 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.160352945 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.160492897 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.160666943 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.160995007 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.161007881 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.161046028 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.161089897 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.161154032 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.161206961 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.704519987 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:41:57.883524895 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:00.965257883 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.060760975 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.068176031 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.068240881 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.068289995 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.068582058 CET49730587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.069757938 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.161403894 CET58749730142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.164283991 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.164362907 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.267477036 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.269956112 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.363507032 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.373811960 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.374073029 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.472659111 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.474545956 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.477957964 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.572556019 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.576957941 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.578821898 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.674062967 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.682087898 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.685065985 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.783853054 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.786102057 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:01.786562920 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:01.884557962 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.008321047 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.012938023 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.106591940 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.118328094 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.118607998 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.216924906 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.219217062 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.219518900 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.317549944 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.399568081 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.399936914 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.399936914 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.399990082 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.400146008 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.401266098 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.493211985 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.493244886 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.493262053 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.493324041 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.493385077 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.493496895 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.494638920 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.494652033 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.494684935 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.494697094 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.494748116 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.494806051 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.494828939 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.494853973 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.494868040 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.494883060 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.494894028 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.494923115 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.495006084 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.586870909 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.586899042 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.587150097 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.588114023 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.588198900 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.588213921 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.588255882 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.588277102 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.588396072 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.588414907 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.588479042 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.588541031 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.588577986 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.588604927 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.588619947 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.588768959 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.588788033 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.588799000 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.588829041 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.588846922 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.588861942 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.588953972 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.589056015 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.589226961 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.589237928 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.589255095 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.589282036 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.589402914 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.589456081 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.589643002 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.589654922 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.589699984 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.589734077 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.589744091 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.589809895 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.680699110 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.680721045 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.680782080 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.680794001 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.680922985 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.681575060 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.681648970 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.681659937 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.681771040 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.681788921 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:02.681888103 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.681989908 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682077885 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682265043 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682482958 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682559013 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682602882 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682647943 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682661057 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682696104 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682734013 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682745934 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.682871103 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.683144093 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.683183908 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.683243990 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.683315039 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.683379889 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.683473110 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.683590889 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.683857918 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.683957100 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.684204102 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.684235096 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.684326887 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.684375048 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.684498072 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.684571028 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.684693098 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.685569048 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.685627937 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.685908079 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.685971022 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.774358034 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.774497032 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.774538040 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.774916887 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.774995089 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.775770903 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.775863886 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.775949001 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.776062965 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.776124001 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.776195049 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.776236057 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:02.776274920 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:03.517574072 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:03.571140051 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:06.803565979 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:06.896706104 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:06.903928995 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:06.904068947 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:06.904242992 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:06.904388905 CET49731587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:06.905560970 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:06.997173071 CET58749731142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:06.999021053 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:06.999102116 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:07.101181984 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.101327896 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:07.194566011 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.208304882 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.208477974 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:07.306581974 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.309973955 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.310375929 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:07.407041073 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.408056974 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:07.409632921 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:07.502960920 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.510308027 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.510822058 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:07.609256983 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.611299992 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.611610889 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:07.709086895 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.817159891 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.817480087 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:07.910581112 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.918231010 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:07.918719053 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.017206907 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.019484997 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.020004034 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.118083000 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.213426113 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.213988066 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.214281082 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.214368105 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.214432955 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.216435909 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.309024096 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.309067965 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.309138060 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.309222937 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.309315920 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.309989929 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.311328888 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.311384916 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.311431885 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.311654091 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.311707020 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.311763048 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.311861038 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.311907053 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.311952114 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.311983109 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.312028885 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.312037945 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.312082052 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.312124968 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.402534962 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.403160095 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.403254032 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.404592037 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.404669046 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.404725075 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.404896975 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.404922962 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.404978037 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.404999971 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.405137062 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.405183077 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.405312061 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.405323029 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.405373096 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.405405998 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.405612946 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.405658007 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.405703068 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.405750036 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.405761003 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.405791998 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.405812979 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.405936003 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.405977964 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.406060934 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.406088114 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.406131029 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.406131029 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.406290054 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.406336069 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.496726036 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.496747971 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.496758938 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.496802092 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.496841908 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.496849060 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.496917009 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.496958971 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.497993946 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.498018980 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.498070002 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:08.498078108 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.498158932 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.498194933 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.498244047 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.498313904 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.498648882 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.498795986 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.498953104 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.498965025 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499006033 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499111891 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499150991 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499243975 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499254942 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499358892 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499419928 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499456882 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499511957 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499521971 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.499674082 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500035048 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500122070 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500159979 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500169039 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500241995 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500252008 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500262976 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500442028 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500545025 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500566006 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500622988 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500686884 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500709057 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.500864983 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.590552092 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.590575933 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.590696096 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.590743065 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.590754986 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.590775013 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.590792894 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.590810061 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.591506958 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.591584921 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.591670990 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.591681957 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:08.591723919 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:09.240840912 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:09.289844036 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.021517992 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.115263939 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.122419119 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.122566938 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.122720957 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.123389959 CET49732587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.123708963 CET49733587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.217394114 CET58749732142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.217605114 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.217706919 CET49733587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.320626974 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.320789099 CET49733587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.414905071 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.424782038 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.424949884 CET49733587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.523257017 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.526266098 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.526827097 CET49733587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.621997118 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.622723103 CET49733587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.622997999 CET49733587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.717317104 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.724519014 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.724791050 CET49733587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.823111057 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.825696945 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:18.825999022 CET49733587192.168.2.10142.251.16.108
                                Mar 18, 2024 14:42:18.924043894 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:19.054789066 CET58749733142.251.16.108192.168.2.10
                                Mar 18, 2024 14:42:19.102255106 CET49733587192.168.2.10142.251.16.108

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Mar 18, 2024 14:38:16.103713036 CET5570653192.168.2.101.1.1.1
                                Mar 18, 2024 14:38:16.191673040 CET53557061.1.1.1192.168.2.10
                                Mar 18, 2024 14:38:17.674678087 CET5948753192.168.2.101.1.1.1
                                Mar 18, 2024 14:38:17.762922049 CET53594871.1.1.1192.168.2.10
                                Mar 18, 2024 14:40:31.713879108 CET5280553192.168.2.101.1.1.1
                                Mar 18, 2024 14:40:31.802490950 CET53528051.1.1.1192.168.2.10

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Mar 18, 2024 14:38:16.103713036 CET192.168.2.101.1.1.10x76f1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                Mar 18, 2024 14:38:17.674678087 CET192.168.2.101.1.1.10x6575Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)false
                                Mar 18, 2024 14:40:31.713879108 CET192.168.2.101.1.1.10x22e9Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Mar 18, 2024 14:38:16.191673040 CET1.1.1.1192.168.2.100x76f1No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                Mar 18, 2024 14:38:16.191673040 CET1.1.1.1192.168.2.100x76f1No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                Mar 18, 2024 14:38:16.191673040 CET1.1.1.1192.168.2.100x76f1No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                Mar 18, 2024 14:38:17.762922049 CET1.1.1.1192.168.2.100x6575No error (0)smtp.gmail.com142.251.16.108A (IP address)IN (0x0001)false
                                Mar 18, 2024 14:40:31.802490950 CET1.1.1.1192.168.2.100x22e9No error (0)smtp.gmail.com142.251.16.108A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • api.ipify.org

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.1049705104.26.13.2054437876C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampBytes transferredDirectionData
                                2024-03-18 13:38:16 UTC155OUTGET / HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                Host: api.ipify.org
                                Connection: Keep-Alive
                                2024-03-18 13:38:16 UTC211INHTTP/1.1 200 OK
                                Date: Mon, 18 Mar 2024 13:38:16 GMT
                                Content-Type: text/plain
                                Content-Length: 14
                                Connection: close
                                Vary: Origin
                                CF-Cache-Status: DYNAMIC
                                Server: cloudflare
                                CF-RAY: 86659f473c680fa9-EWR
                                2024-03-18 13:38:16 UTC14INData Raw: 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34
                                Data Ascii: 191.96.227.194


                                SMTP Packets

                                TimestampSource PortDest PortSource IPDest IPCommands
                                Mar 18, 2024 14:38:17.960880041 CET58749706142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP h20-20020ac87154000000b0042c61b99f42sm4987952qtp.46 - gsmtp
                                Mar 18, 2024 14:38:17.961116076 CET49706587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:38:18.065263987 CET58749706142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:38:18.065450907 CET49706587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:38:18.174242973 CET58749706142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:38:20.328972101 CET58749707142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP cz8-20020a056214088800b00691663dbd4csm4878314qvb.78 - gsmtp
                                Mar 18, 2024 14:38:20.329266071 CET49707587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:38:20.434242964 CET58749707142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:38:20.434456110 CET49707587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:38:20.536468029 CET58749707142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:38:22.340764999 CET58749708142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP gx9-20020a05622a27c900b0042ef4b5f4fbsm4995507qtb.38 - gsmtp
                                Mar 18, 2024 14:38:22.341057062 CET49708587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:38:22.444298983 CET58749708142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:38:22.444597960 CET49708587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:38:22.545568943 CET58749708142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:39:46.115294933 CET58749715142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP cq7-20020a05622a424700b0042f3e288807sm1715493qtb.95 - gsmtp
                                Mar 18, 2024 14:39:46.115587950 CET49715587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:39:46.220057011 CET58749715142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:39:46.224020958 CET49715587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:39:46.324028969 CET58749715142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:39:52.014266968 CET58749716142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP fk13-20020a05622a558d00b00430b59c37acsm3434806qtb.13 - gsmtp
                                Mar 18, 2024 14:39:52.014594078 CET49716587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:39:52.138186932 CET58749716142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:39:52.138345957 CET49716587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:39:52.239356041 CET58749716142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:39:56.473494053 CET58749717142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP br18-20020a05620a461200b007883e49837bsm4562291qkb.86 - gsmtp
                                Mar 18, 2024 14:39:56.473651886 CET49717587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:39:56.579546928 CET58749717142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:39:56.579721928 CET49717587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:39:56.680897951 CET58749717142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:40:14.275671959 CET58749718142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP kl13-20020a056214518d00b00690dcc7ae8dsm5298297qvb.3 - gsmtp
                                Mar 18, 2024 14:40:14.275885105 CET49718587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:40:14.381165028 CET58749718142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:40:14.381474972 CET49718587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:40:14.483047962 CET58749718142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:40:20.311872005 CET58749719142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP pp26-20020a056214139a00b00691732938a8sm4421800qvb.73 - gsmtp
                                Mar 18, 2024 14:40:20.331300974 CET49719587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:40:20.436319113 CET58749719142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:40:20.436467886 CET49719587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:40:20.538268089 CET58749719142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:40:26.866837025 CET58749720142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP gf15-20020a056214250f00b006912014b98dsm5345156qvb.129 - gsmtp
                                Mar 18, 2024 14:40:26.867044926 CET49720587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:40:26.971752882 CET58749720142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:40:26.971927881 CET49720587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:40:27.073460102 CET58749720142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:40:32.003166914 CET58749721142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP y22-20020a37e316000000b00789f55e1ca3sm1661361qki.8 - gsmtp
                                Mar 18, 2024 14:40:32.247478008 CET58749722142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP y17-20020a05622a005100b00430d8e11bebsm529368qtw.64 - gsmtp
                                Mar 18, 2024 14:40:32.247662067 CET49722587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:40:32.369478941 CET58749722142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:40:32.369676113 CET49722587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:40:32.472831964 CET58749722142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:41:13.531019926 CET58749723142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP t28-20020a05620a035c00b00789e7338dd2sm2970117qkm.39 - gsmtp
                                Mar 18, 2024 14:41:13.531146049 CET49723587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:41:13.636401892 CET58749723142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:41:13.636550903 CET49723587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:41:13.738727093 CET58749723142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:41:21.304132938 CET58749724142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP j1-20020ac84401000000b0042f376886d2sm4990442qtn.36 - gsmtp
                                Mar 18, 2024 14:41:21.304306030 CET49724587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:41:21.408921957 CET58749724142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:41:21.409216881 CET49724587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:41:21.510493994 CET58749724142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:41:38.494920015 CET58749725142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP s15-20020a05622a178f00b00430a07fb03asm4690474qtk.0 - gsmtp
                                Mar 18, 2024 14:41:38.495101929 CET49725587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:41:38.598723888 CET58749725142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:41:38.599104881 CET49725587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:41:38.700109959 CET58749725142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:41:48.159050941 CET58749726142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP o5-20020ae9f505000000b0078812b73ea1sm4572262qkg.28 - gsmtp
                                Mar 18, 2024 14:41:48.159261942 CET49726587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:41:48.263358116 CET58749726142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:41:48.263699055 CET49726587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:41:48.365295887 CET58749726142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:41:50.166471958 CET58749727142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP az37-20020a05620a172500b00789fb9cd6d9sm8159qkb.44 - gsmtp
                                Mar 18, 2024 14:41:50.166745901 CET49727587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:41:50.270610094 CET58749727142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:41:50.270915031 CET49727587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:41:50.371262074 CET58749727142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:41:53.712080002 CET58749728142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP cr13-20020a05622a428d00b00430b0f40532sm3772402qtb.9 - gsmtp
                                Mar 18, 2024 14:41:53.712244034 CET49728587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:41:53.815228939 CET58749728142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:41:53.815510988 CET49728587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:41:53.915749073 CET58749728142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:41:54.229216099 CET58749729142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP c14-20020ad45aee000000b00695e602d356sm2085555qvh.46 - gsmtp
                                Mar 18, 2024 14:41:54.229365110 CET49729587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:41:54.334031105 CET58749729142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:41:54.334218025 CET49729587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:41:54.435359001 CET58749729142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:41:55.670653105 CET58749730142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP a9-20020ad45c49000000b0068fef1264f6sm5285231qva.101 - gsmtp
                                Mar 18, 2024 14:41:55.674190044 CET49730587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:41:55.780298948 CET58749730142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:41:55.782191038 CET49730587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:41:55.883618116 CET58749730142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:42:01.267477036 CET58749731142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP ib5-20020a0562141c8500b006962b97c97asm174122qvb.135 - gsmtp
                                Mar 18, 2024 14:42:01.269956112 CET49731587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:42:01.373811960 CET58749731142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:42:01.374073029 CET49731587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:42:01.474545956 CET58749731142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:42:07.101181984 CET58749732142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP gv4-20020a056214262400b0068fb6fb217csm5387294qvb.122 - gsmtp
                                Mar 18, 2024 14:42:07.101327896 CET49732587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:42:07.208304882 CET58749732142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:42:07.208477974 CET49732587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:42:07.309973955 CET58749732142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS
                                Mar 18, 2024 14:42:18.320626974 CET58749733142.251.16.108192.168.2.10220 smtp.gmail.com ESMTP cn7-20020a05622a248700b00430b60698e9sm3424729qtb.32 - gsmtp
                                Mar 18, 2024 14:42:18.320789099 CET49733587192.168.2.10142.251.16.108EHLO 928100
                                Mar 18, 2024 14:42:18.424782038 CET58749733142.251.16.108192.168.2.10250-smtp.gmail.com at your service, [191.96.227.194]
                                250-SIZE 35882577
                                250-8BITMIME
                                250-STARTTLS
                                250-ENHANCEDSTATUSCODES
                                250-PIPELINING
                                250-CHUNKING
                                250 SMTPUTF8
                                Mar 18, 2024 14:42:18.424949884 CET49733587192.168.2.10142.251.16.108STARTTLS
                                Mar 18, 2024 14:42:18.526266098 CET58749733142.251.16.108192.168.2.10220 2.0.0 Ready to start TLS

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:14:38:09
                                Start date:18/03/2024
                                Path:C:\Users\user\Desktop\ekstre_pdf.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\ekstre_pdf.exe
                                Imagebase:0x1d0000
                                File size:1'231'872 bytes
                                MD5 hash:3CA1479D77A23D47A2F01E8EF30A6365
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1241306003.0000000001990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1241306003.0000000001990000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:14:38:11
                                Start date:18/03/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\Desktop\ekstre_pdf.exe
                                Imagebase:0x3c0000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:14:38:11
                                Start date:18/03/2024
                                Path:C:\Users\user\Desktop\ekstre_pdf.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\ekstre_pdf.exe
                                Imagebase:0x1d0000
                                File size:1'231'872 bytes
                                MD5 hash:3CA1479D77A23D47A2F01E8EF30A6365
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1271764010.00000000017B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.1271764010.00000000017B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:6
                                Start time:14:38:14
                                Start date:18/03/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\ekstre_pdf.exe
                                Imagebase:0x710000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000006.00000002.3689857559.0000000005310000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3685292795.0000000002770000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000006.00000002.3689287526.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.3684362034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.3684362034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3686287968.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3686287968.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:4.1%
                                  Dynamic/Decrypted Code Coverage:0.4%
                                  Signature Coverage:5.8%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:43
                                  execution_graph 97420 1d107d 97425 1d71eb 97420->97425 97422 1d108c 97456 1f2f80 97422->97456 97426 1d71fb __write_nolock 97425->97426 97459 1d77c7 97426->97459 97430 1d72ba 97471 1f074f 97430->97471 97437 1d77c7 59 API calls 97438 1d72eb 97437->97438 97490 1d7eec 97438->97490 97440 1d72f4 RegOpenKeyExW 97441 20ecda RegQueryValueExW 97440->97441 97445 1d7316 Mailbox 97440->97445 97442 20ecf7 97441->97442 97443 20ed6c RegCloseKey 97441->97443 97494 1f0ff6 97442->97494 97443->97445 97453 20ed7e _wcscat Mailbox __NMSG_WRITE 97443->97453 97445->97422 97446 20ed10 97504 1d538e 97446->97504 97447 1d7b52 59 API calls 97447->97453 97450 20ed38 97507 1d7d2c 97450->97507 97452 20ed52 97452->97443 97453->97445 97453->97447 97455 1d3f84 59 API calls 97453->97455 97516 1d7f41 97453->97516 97455->97453 97581 1f2e84 97456->97581 97458 1d1096 97460 1f0ff6 Mailbox 59 API calls 97459->97460 97461 1d77e8 97460->97461 97462 1f0ff6 Mailbox 59 API calls 97461->97462 97463 1d72b1 97462->97463 97464 1d4864 97463->97464 97520 201b90 97464->97520 97467 1d7f41 59 API calls 97468 1d4897 97467->97468 97522 1d48ae 97468->97522 97470 1d48a1 Mailbox 97470->97430 97472 201b90 __write_nolock 97471->97472 97473 1f075c GetFullPathNameW 97472->97473 97474 1f077e 97473->97474 97475 1d7d2c 59 API calls 97474->97475 97476 1d72c5 97475->97476 97477 1d7e0b 97476->97477 97478 1d7e1f 97477->97478 97479 20f173 97477->97479 97544 1d7db0 97478->97544 97549 1d8189 97479->97549 97482 1d72d3 97484 1d3f84 97482->97484 97483 20f17e __NMSG_WRITE _memmove 97485 1d3f92 97484->97485 97489 1d3fb4 _memmove 97484->97489 97487 1f0ff6 Mailbox 59 API calls 97485->97487 97486 1f0ff6 Mailbox 59 API calls 97488 1d3fc8 97486->97488 97487->97489 97488->97437 97489->97486 97491 1d7f06 97490->97491 97493 1d7ef9 97490->97493 97492 1f0ff6 Mailbox 59 API calls 97491->97492 97492->97493 97493->97440 97496 1f0ffe 97494->97496 97497 1f1018 97496->97497 97499 1f101c std::exception::exception 97496->97499 97552 1f594c 97496->97552 97569 1f35e1 DecodePointer 97496->97569 97497->97446 97570 1f87db RaiseException 97499->97570 97501 1f1046 97571 1f8711 58 API calls _free 97501->97571 97503 1f1058 97503->97446 97505 1f0ff6 Mailbox 59 API calls 97504->97505 97506 1d53a0 RegQueryValueExW 97505->97506 97506->97450 97506->97452 97508 1d7d38 __NMSG_WRITE 97507->97508 97509 1d7da5 97507->97509 97511 1d7d4e 97508->97511 97512 1d7d73 97508->97512 97510 1d7e8c 59 API calls 97509->97510 97515 1d7d56 _memmove 97510->97515 97580 1d8087 59 API calls Mailbox 97511->97580 97514 1d8189 59 API calls 97512->97514 97514->97515 97515->97452 97517 1d7f50 __NMSG_WRITE _memmove 97516->97517 97518 1f0ff6 Mailbox 59 API calls 97517->97518 97519 1d7f8e 97518->97519 97519->97453 97521 1d4871 GetModuleFileNameW 97520->97521 97521->97467 97523 201b90 __write_nolock 97522->97523 97524 1d48bb GetFullPathNameW 97523->97524 97525 1d48da 97524->97525 97526 1d48f7 97524->97526 97528 1d7d2c 59 API calls 97525->97528 97527 1d7eec 59 API calls 97526->97527 97529 1d48e6 97527->97529 97528->97529 97532 1d7886 97529->97532 97533 1d7894 97532->97533 97536 1d7e8c 97533->97536 97535 1d48f2 97535->97470 97537 1d7ea3 _memmove 97536->97537 97538 1d7e9a 97536->97538 97537->97535 97538->97537 97540 1d7faf 97538->97540 97541 1d7fc2 97540->97541 97543 1d7fbf _memmove 97540->97543 97542 1f0ff6 Mailbox 59 API calls 97541->97542 97542->97543 97543->97537 97545 1d7dbf __NMSG_WRITE 97544->97545 97546 1d8189 59 API calls 97545->97546 97547 1d7dd0 _memmove 97545->97547 97548 20f130 _memmove 97546->97548 97547->97482 97550 1f0ff6 Mailbox 59 API calls 97549->97550 97551 1d8193 97550->97551 97551->97483 97553 1f59c7 97552->97553 97558 1f5958 97552->97558 97578 1f35e1 DecodePointer 97553->97578 97555 1f5963 97555->97558 97572 1fa3ab 58 API calls 2 library calls 97555->97572 97573 1fa408 58 API calls 7 library calls 97555->97573 97574 1f32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97555->97574 97556 1f59cd 97579 1f8d68 58 API calls __getptd_noexit 97556->97579 97558->97555 97561 1f598b RtlAllocateHeap 97558->97561 97563 1f59b3 97558->97563 97567 1f59b1 97558->97567 97575 1f35e1 DecodePointer 97558->97575 97560 1f59bf 97560->97496 97561->97558 97561->97560 97576 1f8d68 58 API calls __getptd_noexit 97563->97576 97577 1f8d68 58 API calls __getptd_noexit 97567->97577 97569->97496 97570->97501 97571->97503 97572->97555 97573->97555 97575->97558 97576->97567 97577->97560 97578->97556 97579->97560 97580->97515 97582 1f2e90 _fprintf 97581->97582 97589 1f3457 97582->97589 97588 1f2eb7 _fprintf 97588->97458 97606 1f9e4b 97589->97606 97591 1f2e99 97592 1f2ec8 DecodePointer DecodePointer 97591->97592 97593 1f2ea5 97592->97593 97594 1f2ef5 97592->97594 97603 1f2ec2 97593->97603 97594->97593 97652 1f89e4 59 API calls _fprintf 97594->97652 97596 1f2f58 EncodePointer EncodePointer 97596->97593 97597 1f2f07 97597->97596 97598 1f2f2c 97597->97598 97653 1f8aa4 61 API calls 2 library calls 97597->97653 97598->97593 97601 1f2f46 EncodePointer 97598->97601 97654 1f8aa4 61 API calls 2 library calls 97598->97654 97601->97596 97602 1f2f40 97602->97593 97602->97601 97655 1f3460 97603->97655 97607 1f9e6f EnterCriticalSection 97606->97607 97608 1f9e5c 97606->97608 97607->97591 97613 1f9ed3 97608->97613 97610 1f9e62 97610->97607 97637 1f32f5 58 API calls 3 library calls 97610->97637 97614 1f9edf _fprintf 97613->97614 97615 1f9ee8 97614->97615 97616 1f9f00 97614->97616 97638 1fa3ab 58 API calls 2 library calls 97615->97638 97624 1f9f21 _fprintf 97616->97624 97641 1f8a5d 58 API calls 2 library calls 97616->97641 97619 1f9eed 97639 1fa408 58 API calls 7 library calls 97619->97639 97620 1f9f15 97622 1f9f1c 97620->97622 97623 1f9f2b 97620->97623 97642 1f8d68 58 API calls __getptd_noexit 97622->97642 97627 1f9e4b __lock 58 API calls 97623->97627 97624->97610 97625 1f9ef4 97640 1f32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97625->97640 97629 1f9f32 97627->97629 97631 1f9f3f 97629->97631 97632 1f9f57 97629->97632 97643 1fa06b InitializeCriticalSectionAndSpinCount 97631->97643 97644 1f2f95 97632->97644 97635 1f9f4b 97650 1f9f73 LeaveCriticalSection _doexit 97635->97650 97638->97619 97639->97625 97641->97620 97642->97624 97643->97635 97645 1f2f9e RtlFreeHeap 97644->97645 97649 1f2fc7 __dosmaperr 97644->97649 97646 1f2fb3 97645->97646 97645->97649 97651 1f8d68 58 API calls __getptd_noexit 97646->97651 97648 1f2fb9 GetLastError 97648->97649 97649->97635 97650->97624 97651->97648 97652->97597 97653->97598 97654->97602 97658 1f9fb5 LeaveCriticalSection 97655->97658 97657 1f2ec7 97657->97588 97658->97657 97659 20ff06 97660 20ff10 97659->97660 97696 1dac90 Mailbox _memmove 97659->97696 97923 1d8e34 59 API calls Mailbox 97660->97923 97664 1db685 97932 23a0b5 90 API calls 4 library calls 97664->97932 97666 1f0ff6 59 API calls Mailbox 97684 1da097 Mailbox 97666->97684 97669 1db5d5 97928 1d81a7 97669->97928 97672 21047f 97927 23a0b5 90 API calls 4 library calls 97672->97927 97673 1db5da 97937 23a0b5 90 API calls 4 library calls 97673->97937 97674 1d81a7 59 API calls 97674->97684 97675 1d7f41 59 API calls 97675->97696 97677 1d77c7 59 API calls 97677->97684 97679 21048e 97680 227405 59 API calls 97680->97684 97681 1f2f80 67 API calls __cinit 97681->97684 97683 2266f4 Mailbox 59 API calls 97686 1da1b7 97683->97686 97684->97666 97684->97669 97684->97672 97684->97673 97684->97674 97684->97677 97684->97680 97684->97681 97685 210e00 97684->97685 97684->97686 97689 1da6ba 97684->97689 97917 1dca20 342 API calls 2 library calls 97684->97917 97918 1dba60 60 API calls Mailbox 97684->97918 97936 23a0b5 90 API calls 4 library calls 97685->97936 97935 23a0b5 90 API calls 4 library calls 97689->97935 97693 210c94 97933 1d9df0 59 API calls Mailbox 97693->97933 97695 210ca2 97934 23a0b5 90 API calls 4 library calls 97695->97934 97696->97664 97696->97675 97696->97684 97696->97686 97696->97693 97696->97695 97699 1db37c 97696->97699 97700 1f0ff6 59 API calls Mailbox 97696->97700 97705 1db416 97696->97705 97708 1dade2 Mailbox 97696->97708 97714 1da000 97696->97714 97836 24c5f4 97696->97836 97868 237be0 97696->97868 97874 24bf80 97696->97874 97914 2266f4 97696->97914 97924 227405 59 API calls 97696->97924 97925 24c4a7 86 API calls 2 library calls 97696->97925 97698 210c86 97698->97683 97698->97686 97920 1d9e9c 60 API calls Mailbox 97699->97920 97700->97696 97703 1db38d 97921 1d9e9c 60 API calls Mailbox 97703->97921 97922 1df803 342 API calls 97705->97922 97708->97664 97708->97686 97708->97698 97709 2100e0 VariantClear 97708->97709 97737 23d2e6 97708->97737 97784 24e237 97708->97784 97787 1e2123 97708->97787 97827 24474d 97708->97827 97919 1d9df0 59 API calls Mailbox 97708->97919 97926 227405 59 API calls 97708->97926 97709->97708 97715 1da01f 97714->97715 97731 1da04d Mailbox 97714->97731 97716 1f0ff6 Mailbox 59 API calls 97715->97716 97716->97731 97717 1db5d5 97718 1d81a7 59 API calls 97717->97718 97732 1da1b7 97718->97732 97719 1f0ff6 59 API calls Mailbox 97719->97731 97723 21047f 97940 23a0b5 90 API calls 4 library calls 97723->97940 97725 1d81a7 59 API calls 97725->97731 97726 1d77c7 59 API calls 97726->97731 97728 227405 59 API calls 97728->97731 97729 21048e 97729->97696 97730 1f2f80 67 API calls __cinit 97730->97731 97731->97717 97731->97719 97731->97723 97731->97725 97731->97726 97731->97728 97731->97730 97731->97732 97733 210e00 97731->97733 97735 1db5da 97731->97735 97736 1da6ba 97731->97736 97938 1dca20 342 API calls 2 library calls 97731->97938 97939 1dba60 60 API calls Mailbox 97731->97939 97732->97696 97942 23a0b5 90 API calls 4 library calls 97733->97942 97943 23a0b5 90 API calls 4 library calls 97735->97943 97941 23a0b5 90 API calls 4 library calls 97736->97941 97738 23d310 97737->97738 97739 23d305 97737->97739 97741 23d3ea Mailbox 97738->97741 97744 1d77c7 59 API calls 97738->97744 97975 1d9c9c 59 API calls 97739->97975 97742 1f0ff6 Mailbox 59 API calls 97741->97742 97780 23d3f3 Mailbox 97741->97780 97743 23d433 97742->97743 97746 23d43f 97743->97746 98041 1d5906 60 API calls Mailbox 97743->98041 97745 23d334 97744->97745 97747 1d77c7 59 API calls 97745->97747 97944 1d9997 97746->97944 97750 23d33d 97747->97750 97752 1d9997 85 API calls 97750->97752 97754 23d349 97752->97754 97976 1d46f9 97754->97976 97757 23d46a GetLastError 97760 23d483 97757->97760 97758 23d49e 97762 23d500 97758->97762 97763 23d4c9 97758->97763 97759 23d35e 98027 1d7c8e 97759->98027 97760->97780 98042 1d5a1a CloseHandle 97760->98042 97767 1f0ff6 Mailbox 59 API calls 97762->97767 97765 1f0ff6 Mailbox 59 API calls 97763->97765 97768 23d4ce 97765->97768 97766 23d3e3 98040 1d9c9c 59 API calls 97766->98040 97772 23d505 97767->97772 97773 23d4df 97768->97773 97775 1d77c7 59 API calls 97768->97775 97777 1d77c7 59 API calls 97772->97777 97772->97780 98043 23f835 59 API calls 2 library calls 97773->98043 97775->97773 97776 23d3a5 97779 1d7f41 59 API calls 97776->97779 97777->97780 97781 23d3b2 97779->97781 97780->97708 98039 233c66 63 API calls Mailbox 97781->98039 97783 23d3bb Mailbox 97783->97766 98128 24cdf1 97784->98128 97786 24e247 97786->97708 98239 1d9bf8 97787->98239 97790 1f0ff6 Mailbox 59 API calls 97792 1e2154 97790->97792 97793 1e2164 97792->97793 98267 1d5906 60 API calls Mailbox 97792->98267 97797 1d9997 85 API calls 97793->97797 97795 2169af 97796 1e2189 97795->97796 98271 23f7df 59 API calls 97795->98271 97802 1e2196 97796->97802 98272 1d9c9c 59 API calls 97796->98272 97799 1e2172 97797->97799 97801 1d5956 67 API calls 97799->97801 97800 2169f7 97800->97802 97803 2169ff 97800->97803 97804 1e2181 97801->97804 97806 1d5e3f 2 API calls 97802->97806 98273 1d9c9c 59 API calls 97803->98273 97804->97795 97804->97796 98270 1d5a1a CloseHandle 97804->98270 97808 1e219d 97806->97808 97809 216a11 97808->97809 97810 1e21b7 97808->97810 97812 1f0ff6 Mailbox 59 API calls 97809->97812 97811 1d77c7 59 API calls 97810->97811 97813 1e21bf 97811->97813 97814 216a17 97812->97814 98252 1d56d2 97813->98252 97816 216a2b 97814->97816 98274 1d59b0 ReadFile SetFilePointerEx 97814->98274 97821 216a2f _memmove 97816->97821 98275 23794e 59 API calls 2 library calls 97816->98275 97818 1e21ce 97818->97821 98268 1d9b9c 59 API calls Mailbox 97818->98268 97822 1e21e2 Mailbox 97823 1e221c 97822->97823 97824 1d5dcf CloseHandle 97822->97824 97823->97708 97825 1e2210 97824->97825 97825->97823 98269 1d5a1a CloseHandle 97825->98269 97828 1d9997 85 API calls 97827->97828 97829 244787 97828->97829 98313 1d63a0 97829->98313 97831 244797 97832 2447bc 97831->97832 97833 1da000 342 API calls 97831->97833 97834 1d9bf8 59 API calls 97832->97834 97835 2447c0 97832->97835 97833->97832 97834->97835 97835->97708 97837 1d77c7 59 API calls 97836->97837 97838 24c608 97837->97838 97839 1d77c7 59 API calls 97838->97839 97840 24c610 97839->97840 97841 1d77c7 59 API calls 97840->97841 97842 24c618 97841->97842 97843 1d9997 85 API calls 97842->97843 97867 24c626 97843->97867 97844 1d7d2c 59 API calls 97844->97867 97845 24c80f 97846 24c83c Mailbox 97845->97846 98371 1d9b9c 59 API calls Mailbox 97845->98371 97846->97696 97848 24c7f6 97851 1d7e0b 59 API calls 97848->97851 97849 24c811 97852 1d7e0b 59 API calls 97849->97852 97850 1d81a7 59 API calls 97850->97867 97853 24c803 97851->97853 97855 24c820 97852->97855 97857 1d7c8e 59 API calls 97853->97857 97854 1d7a84 59 API calls 97854->97867 97858 1d7c8e 59 API calls 97855->97858 97856 1d7faf 59 API calls 97860 24c6bd CharUpperBuffW 97856->97860 97857->97845 97858->97845 97859 1d7faf 59 API calls 97861 24c77d CharUpperBuffW 97859->97861 98358 1d859a 68 API calls 97860->98358 98359 1dc707 97861->98359 97864 1d7e0b 59 API calls 97864->97867 97865 1d9997 85 API calls 97865->97867 97866 1d7c8e 59 API calls 97866->97867 97867->97844 97867->97845 97867->97846 97867->97848 97867->97849 97867->97850 97867->97854 97867->97856 97867->97859 97867->97864 97867->97865 97867->97866 97869 237bec 97868->97869 97870 1f0ff6 Mailbox 59 API calls 97869->97870 97871 237bfa 97870->97871 97872 237c08 97871->97872 97873 1d77c7 59 API calls 97871->97873 97872->97696 97873->97872 97875 24bfc5 97874->97875 97876 24bfab 97874->97876 98375 24a528 59 API calls Mailbox 97875->98375 98374 23a0b5 90 API calls 4 library calls 97876->98374 97879 24bfd0 97880 1da000 341 API calls 97879->97880 97881 24c031 97880->97881 97882 24c0c3 97881->97882 97885 24c072 97881->97885 97891 24bfbd Mailbox 97881->97891 97883 24c119 97882->97883 97884 24c0c9 97882->97884 97886 1d9997 85 API calls 97883->97886 97883->97891 98396 237ba4 59 API calls 97884->98396 98376 237581 59 API calls Mailbox 97885->98376 97887 24c12b 97886->97887 97890 1d7faf 59 API calls 97887->97890 97895 24c14f CharUpperBuffW 97890->97895 97891->97696 97892 24c0ec 98397 1d5ea1 59 API calls Mailbox 97892->98397 97894 24c0a2 98377 1df5c0 97894->98377 97898 24c169 97895->97898 97896 24c0f4 Mailbox 98398 1dfe40 97896->98398 97899 24c170 97898->97899 97900 24c1bc 97898->97900 98478 237581 59 API calls Mailbox 97899->98478 97902 1d9997 85 API calls 97900->97902 97903 24c1c4 97902->97903 98479 1d9fbd 60 API calls 97903->98479 97906 24c19e 97907 1df5c0 341 API calls 97906->97907 97907->97891 97908 24c1ce 97908->97891 97909 1d9997 85 API calls 97908->97909 97910 24c1e9 97909->97910 98480 1d5ea1 59 API calls Mailbox 97910->98480 97912 24c1f9 97913 1dfe40 341 API calls 97912->97913 97913->97891 99749 226636 97914->99749 97916 226702 97916->97696 97917->97684 97918->97684 97919->97708 97920->97703 97921->97705 97922->97664 97923->97696 97924->97696 97925->97696 97926->97708 97927->97679 97929 1d81ba 97928->97929 97930 1d81b2 97928->97930 97929->97686 99754 1d80d7 59 API calls 2 library calls 97930->99754 97932->97698 97933->97698 97934->97698 97935->97686 97936->97673 97937->97686 97938->97731 97939->97731 97940->97729 97941->97732 97942->97735 97943->97732 97945 1d99ab 97944->97945 97946 1d99b1 97944->97946 97962 1d5956 97945->97962 97947 20f9fc __i64tow 97946->97947 97948 1d99f9 97946->97948 97950 1d99b7 __itow 97946->97950 97953 20f903 97946->97953 98044 1f38d8 84 API calls 3 library calls 97948->98044 97952 1f0ff6 Mailbox 59 API calls 97950->97952 97954 1d99d1 97952->97954 97955 1f0ff6 Mailbox 59 API calls 97953->97955 97957 20f97b Mailbox _wcscpy 97953->97957 97954->97945 97956 1d7f41 59 API calls 97954->97956 97959 20f948 97955->97959 97956->97945 98045 1f38d8 84 API calls 3 library calls 97957->98045 97958 1f0ff6 Mailbox 59 API calls 97960 20f96e 97958->97960 97959->97958 97960->97957 97961 1d7f41 59 API calls 97960->97961 97961->97957 98046 1d5dcf 97962->98046 97966 1d59a4 97966->97757 97966->97758 97967 1d5981 97967->97966 98058 1d5770 97967->98058 97969 1d5993 98075 1d53db SetFilePointerEx SetFilePointerEx 97969->98075 97971 20e030 98076 233696 SetFilePointerEx SetFilePointerEx WriteFile 97971->98076 97972 1d599a 97972->97966 97972->97971 97974 20e060 97974->97966 97975->97738 97977 1d77c7 59 API calls 97976->97977 97978 1d470f 97977->97978 97979 1d77c7 59 API calls 97978->97979 97980 1d4717 97979->97980 97981 1d77c7 59 API calls 97980->97981 97982 1d471f 97981->97982 97983 1d77c7 59 API calls 97982->97983 97984 1d4727 97983->97984 97985 1d475b 97984->97985 97986 20d8fb 97984->97986 97987 1d79ab 59 API calls 97985->97987 97988 1d81a7 59 API calls 97986->97988 97989 1d4769 97987->97989 97990 20d904 97988->97990 97991 1d7e8c 59 API calls 97989->97991 97992 1d7eec 59 API calls 97990->97992 97993 1d4773 97991->97993 97995 1d479e 97992->97995 97994 1d79ab 59 API calls 97993->97994 97993->97995 97997 1d4794 97994->97997 97998 1d47bd 97995->97998 98008 20d924 97995->98008 98013 1d47de 97995->98013 98001 1d7e8c 59 API calls 97997->98001 98112 1d7b52 97998->98112 98000 1d47ef 98004 1d4801 98000->98004 98006 1d81a7 59 API calls 98000->98006 98001->97995 98002 20d9f4 98005 1d7d2c 59 API calls 98002->98005 98007 1d4811 98004->98007 98010 1d81a7 59 API calls 98004->98010 98022 20d9b1 98005->98022 98006->98004 98012 1d4818 98007->98012 98014 1d81a7 59 API calls 98007->98014 98008->98002 98011 20d9dd 98008->98011 98020 20d95b 98008->98020 98009 1d79ab 59 API calls 98009->98013 98010->98007 98011->98002 98017 20d9c8 98011->98017 98015 1d81a7 59 API calls 98012->98015 98024 1d481f Mailbox 98012->98024 98099 1d79ab 98013->98099 98014->98012 98015->98024 98016 20d9b9 98018 1d7d2c 59 API calls 98016->98018 98019 1d7d2c 59 API calls 98017->98019 98018->98022 98019->98022 98020->98016 98025 20d9a4 98020->98025 98021 1d7b52 59 API calls 98021->98022 98022->98013 98022->98021 98115 1d7a84 59 API calls 2 library calls 98022->98115 98024->97759 98026 1d7d2c 59 API calls 98025->98026 98026->98022 98028 20f094 98027->98028 98029 1d7ca0 98027->98029 98123 228123 59 API calls _memmove 98028->98123 98117 1d7bb1 98029->98117 98032 20f09e 98034 1d81a7 59 API calls 98032->98034 98033 1d7cac 98033->97766 98036 233e73 98033->98036 98035 20f0a6 Mailbox 98034->98035 98124 234696 GetFileAttributesW 98036->98124 98039->97783 98040->97741 98041->97746 98042->97780 98043->97780 98044->97950 98045->97947 98047 1d5962 98046->98047 98048 1d5de8 98046->98048 98050 1d5df9 98047->98050 98048->98047 98049 1d5ded CloseHandle 98048->98049 98049->98047 98051 20e181 98050->98051 98052 1d5e12 CreateFileW 98050->98052 98053 1d5e34 98051->98053 98054 20e187 CreateFileW 98051->98054 98052->98053 98053->97967 98054->98053 98055 20e1ad 98054->98055 98077 1d5c4e 98055->98077 98059 1d578b 98058->98059 98060 20dfce 98058->98060 98061 1d5c4e 2 API calls 98059->98061 98069 1d581a 98059->98069 98060->98069 98093 1d5e3f 98060->98093 98062 1d57ad 98061->98062 98063 1d538e 59 API calls 98062->98063 98065 1d57b7 98063->98065 98065->98060 98066 1d57c4 98065->98066 98067 1f0ff6 Mailbox 59 API calls 98066->98067 98068 1d57cf 98067->98068 98070 1d538e 59 API calls 98068->98070 98069->97969 98071 1d57da 98070->98071 98087 1d5d20 98071->98087 98074 1d5c4e 2 API calls 98074->98069 98075->97972 98076->97974 98084 1d5c68 98077->98084 98078 1d5cef SetFilePointerEx 98085 1d5dae SetFilePointerEx 98078->98085 98079 20e151 98086 1d5dae SetFilePointerEx 98079->98086 98082 1d5cc3 98082->98053 98083 20e16b 98084->98078 98084->98079 98084->98082 98085->98082 98086->98083 98088 1d5d93 98087->98088 98092 1d5d2e 98087->98092 98098 1d5dae SetFilePointerEx 98088->98098 98089 1d5807 98089->98074 98091 1d5d66 ReadFile 98091->98089 98091->98092 98092->98089 98092->98091 98094 1d5c4e 2 API calls 98093->98094 98095 1d5e60 98094->98095 98096 1d5c4e 2 API calls 98095->98096 98097 1d5e74 98096->98097 98097->98069 98098->98092 98100 1d79ba 98099->98100 98101 1d7a17 98099->98101 98100->98101 98102 1d79c5 98100->98102 98103 1d7e8c 59 API calls 98101->98103 98105 20ef32 98102->98105 98106 1d79e0 98102->98106 98104 1d79e8 _memmove 98103->98104 98104->98000 98107 1d8189 59 API calls 98105->98107 98116 1d8087 59 API calls Mailbox 98106->98116 98109 20ef3c 98107->98109 98110 1f0ff6 Mailbox 59 API calls 98109->98110 98111 20ef5c 98110->98111 98113 1d7faf 59 API calls 98112->98113 98114 1d47c7 98113->98114 98114->98009 98114->98013 98115->98022 98116->98104 98118 1d7bbf 98117->98118 98119 1d7be5 _memmove 98117->98119 98118->98119 98120 1f0ff6 Mailbox 59 API calls 98118->98120 98119->98033 98121 1d7c34 98120->98121 98122 1f0ff6 Mailbox 59 API calls 98121->98122 98122->98119 98123->98032 98125 233e7a 98124->98125 98126 2346b1 FindFirstFileW 98124->98126 98125->97766 98125->97776 98126->98125 98127 2346c6 FindClose 98126->98127 98127->98125 98129 1d9997 85 API calls 98128->98129 98130 24ce2e 98129->98130 98134 24ce75 Mailbox 98130->98134 98166 24dab9 98130->98166 98132 24d242 98216 24dbdc 93 API calls Mailbox 98132->98216 98134->97786 98136 24d251 98138 24d0db 98136->98138 98139 24d25d 98136->98139 98137 24cec6 Mailbox 98137->98134 98140 1d9997 85 API calls 98137->98140 98153 24d0cd 98137->98153 98198 23f835 59 API calls 2 library calls 98137->98198 98199 24d2f3 61 API calls 2 library calls 98137->98199 98179 24cc82 98138->98179 98139->98134 98140->98137 98145 24d114 98194 1f0e48 98145->98194 98148 24d147 98201 1d942e 98148->98201 98149 24d12e 98200 23a0b5 90 API calls 4 library calls 98149->98200 98152 24d139 GetCurrentProcess TerminateProcess 98152->98148 98153->98132 98153->98138 98158 24d2b8 98158->98134 98162 24d2cc FreeLibrary 98158->98162 98159 24d17f 98213 24d95d 108 API calls _free 98159->98213 98162->98134 98165 24d190 98165->98158 98214 1d8ea0 59 API calls Mailbox 98165->98214 98215 1d9e9c 60 API calls Mailbox 98165->98215 98217 24d95d 108 API calls _free 98165->98217 98167 1d7faf 59 API calls 98166->98167 98168 24dad4 CharLowerBuffW 98167->98168 98218 22f658 98168->98218 98172 1d77c7 59 API calls 98173 24db0d 98172->98173 98174 1d79ab 59 API calls 98173->98174 98175 24db24 98174->98175 98176 1d7e8c 59 API calls 98175->98176 98177 24db30 Mailbox 98176->98177 98178 24db6c Mailbox 98177->98178 98225 24d2f3 61 API calls 2 library calls 98177->98225 98178->98137 98180 24ccf2 98179->98180 98181 24cc9d 98179->98181 98185 24dd64 98180->98185 98182 1f0ff6 Mailbox 59 API calls 98181->98182 98184 24ccbf 98182->98184 98183 1f0ff6 Mailbox 59 API calls 98183->98184 98184->98180 98184->98183 98186 24df8d Mailbox 98185->98186 98193 24dd87 _strcat _wcscpy __NMSG_WRITE 98185->98193 98186->98145 98187 1d9d46 59 API calls 98187->98193 98188 1d9c9c 59 API calls 98188->98193 98189 1d9cf8 59 API calls 98189->98193 98190 1d9997 85 API calls 98190->98193 98191 1f594c 58 API calls std::exception::_Copy_str 98191->98193 98193->98186 98193->98187 98193->98188 98193->98189 98193->98190 98193->98191 98228 235b29 61 API calls 2 library calls 98193->98228 98195 1f0e5d 98194->98195 98196 1f0ef5 VirtualAlloc 98195->98196 98197 1f0ec3 98195->98197 98196->98197 98197->98148 98197->98149 98198->98137 98199->98137 98200->98152 98202 1d9436 98201->98202 98203 1f0ff6 Mailbox 59 API calls 98202->98203 98204 1d9444 98203->98204 98205 1d9450 98204->98205 98229 1d935c 59 API calls Mailbox 98204->98229 98207 1d91b0 98205->98207 98230 1d92c0 98207->98230 98209 1d91bf 98210 1f0ff6 Mailbox 59 API calls 98209->98210 98211 1d925b 98209->98211 98210->98211 98211->98165 98212 1d8ea0 59 API calls Mailbox 98211->98212 98212->98159 98213->98165 98214->98165 98215->98165 98216->98136 98217->98165 98219 22f683 __NMSG_WRITE 98218->98219 98220 22f6c2 98219->98220 98223 22f769 98219->98223 98224 22f6b8 98219->98224 98220->98172 98220->98177 98223->98220 98227 1d7a24 61 API calls 98223->98227 98224->98220 98226 1d7a24 61 API calls 98224->98226 98225->98178 98226->98224 98227->98223 98228->98193 98229->98205 98231 1d92c9 Mailbox 98230->98231 98232 20f5c8 98231->98232 98237 1d92d3 98231->98237 98233 1f0ff6 Mailbox 59 API calls 98232->98233 98235 20f5d4 98233->98235 98234 1d92da 98234->98209 98237->98234 98238 1d9df0 59 API calls Mailbox 98237->98238 98238->98237 98240 1d9c08 98239->98240 98241 20fbff 98239->98241 98246 1f0ff6 Mailbox 59 API calls 98240->98246 98242 20fc10 98241->98242 98244 1d7d2c 59 API calls 98241->98244 98243 1d7eec 59 API calls 98242->98243 98245 20fc1a 98243->98245 98244->98242 98249 1d77c7 59 API calls 98245->98249 98251 1d9c34 98245->98251 98247 1d9c1b 98246->98247 98247->98245 98248 1d9c26 98247->98248 98250 1d7f41 59 API calls 98248->98250 98248->98251 98249->98251 98250->98251 98251->97790 98251->97795 98253 1d56dd 98252->98253 98254 1d5702 98252->98254 98253->98254 98259 1d56ec 98253->98259 98255 1d7eec 59 API calls 98254->98255 98258 23349a 98255->98258 98256 2334c9 98256->97818 98258->98256 98276 233436 ReadFile SetFilePointerEx 98258->98276 98277 1d7a84 59 API calls 2 library calls 98258->98277 98278 1d5c18 98259->98278 98266 2335d8 Mailbox 98266->97818 98267->97793 98268->97822 98269->97823 98270->97795 98271->97795 98272->97800 98273->97808 98274->97816 98275->97821 98276->98258 98277->98258 98279 1f0ff6 Mailbox 59 API calls 98278->98279 98280 1d5c2b 98279->98280 98281 1f0ff6 Mailbox 59 API calls 98280->98281 98282 1d5c37 98281->98282 98283 1d5632 98282->98283 98290 1d5a2f 98283->98290 98285 1d5674 98285->98266 98289 1d793a 61 API calls Mailbox 98285->98289 98286 1d5d20 2 API calls 98287 1d5643 98286->98287 98287->98285 98287->98286 98297 1d5bda 98287->98297 98289->98266 98291 20e065 98290->98291 98292 1d5a40 98290->98292 98306 226443 59 API calls Mailbox 98291->98306 98292->98287 98294 20e06f 98295 1f0ff6 Mailbox 59 API calls 98294->98295 98296 20e07b 98295->98296 98298 1d5bee 98297->98298 98299 20e117 98297->98299 98307 1d5b19 98298->98307 98312 226443 59 API calls Mailbox 98299->98312 98302 1d5bfa 98302->98287 98303 20e122 98304 1f0ff6 Mailbox 59 API calls 98303->98304 98305 20e137 _memmove 98304->98305 98306->98294 98308 1d5b31 98307->98308 98311 1d5b2a _memmove 98307->98311 98309 20e0a7 98308->98309 98310 1f0ff6 Mailbox 59 API calls 98308->98310 98310->98311 98311->98302 98312->98303 98339 1d7b76 98313->98339 98315 1d65ca 98346 1d766f 98315->98346 98317 1d65e4 Mailbox 98317->97831 98320 20e41f 98356 22fdba 92 API calls 4 library calls 98320->98356 98321 1d68f9 98321->98317 98357 22fdba 92 API calls 4 library calls 98321->98357 98324 1d766f 59 API calls 98333 1d63c5 98324->98333 98326 20e42d 98328 1d766f 59 API calls 98326->98328 98327 1d7eec 59 API calls 98327->98333 98329 20e443 98328->98329 98329->98317 98330 20e3bb 98331 1d8189 59 API calls 98330->98331 98332 20e3c6 98331->98332 98337 1f0ff6 Mailbox 59 API calls 98332->98337 98333->98315 98333->98320 98333->98321 98333->98324 98333->98327 98333->98330 98335 1d7faf 59 API calls 98333->98335 98338 20e3eb _memmove 98333->98338 98344 1d60cc 60 API calls 98333->98344 98345 1d5ea1 59 API calls Mailbox 98333->98345 98354 1d5fd2 60 API calls 98333->98354 98355 1d7a84 59 API calls 2 library calls 98333->98355 98336 1d659b CharUpperBuffW 98335->98336 98336->98333 98337->98338 98338->98320 98338->98321 98340 1f0ff6 Mailbox 59 API calls 98339->98340 98341 1d7b9b 98340->98341 98342 1d8189 59 API calls 98341->98342 98343 1d7baa 98342->98343 98343->98333 98344->98333 98345->98333 98347 1d770f 98346->98347 98353 1d7682 _memmove 98346->98353 98349 1f0ff6 Mailbox 59 API calls 98347->98349 98348 1f0ff6 Mailbox 59 API calls 98350 1d7689 98348->98350 98349->98353 98351 1f0ff6 Mailbox 59 API calls 98350->98351 98352 1d76b2 98350->98352 98351->98352 98352->98317 98353->98348 98354->98333 98355->98333 98356->98326 98357->98317 98358->97867 98360 1d7b76 59 API calls 98359->98360 98361 1dc72c _wcscmp 98359->98361 98360->98361 98362 1d7f41 59 API calls 98361->98362 98365 1dc760 Mailbox 98361->98365 98363 211abb 98362->98363 98364 1d7c8e 59 API calls 98363->98364 98366 211ac6 98364->98366 98365->97867 98372 1d859a 68 API calls 98366->98372 98368 211ad7 98370 211adb Mailbox 98368->98370 98373 1d9e9c 60 API calls Mailbox 98368->98373 98370->97867 98371->97846 98372->98368 98373->98370 98374->97891 98375->97879 98376->97894 98378 1df61a 98377->98378 98379 1df7b0 98377->98379 98381 214848 98378->98381 98382 1df626 98378->98382 98380 1d7f41 59 API calls 98379->98380 98388 1df6ec Mailbox 98380->98388 98383 24bf80 342 API calls 98381->98383 98481 1df3f0 98382->98481 98385 214856 98383->98385 98389 1df790 98385->98389 98586 23a0b5 90 API calls 4 library calls 98385->98586 98387 1df65d 98387->98385 98387->98388 98387->98389 98392 233e73 3 API calls 98388->98392 98496 23cde5 98388->98496 98576 1d4faa 98388->98576 98582 24e24b 98388->98582 98389->97891 98391 1df743 98391->98389 98585 1d9df0 59 API calls Mailbox 98391->98585 98392->98391 98396->97892 98397->97896 99556 1d82e0 98398->99556 98400 1dfe9d 98401 1e0856 98400->98401 98402 214b57 98400->98402 99561 1df394 98400->99561 99654 23a0b5 90 API calls 4 library calls 98401->99654 99655 23a0b5 90 API calls 4 library calls 98402->99655 98406 214b6c 98407 214cb7 98407->98406 98410 1dffac 98407->98410 99661 24a5ee 86 API calls Mailbox 98407->99661 98408 1dff9e 98408->98407 98408->98410 99659 226c62 59 API calls 2 library calls 98408->99659 98409 1e0677 98417 1f0ff6 Mailbox 59 API calls 98409->98417 98419 214d23 98410->98419 98464 214f7d 98410->98464 99565 1d84dc 98410->99565 98411 214c01 98411->98406 99657 23a0b5 90 API calls 4 library calls 98411->99657 98414 1f0ff6 59 API calls Mailbox 98440 1dff33 98414->98440 98425 1e06a5 _memmove 98417->98425 98418 214c72 99660 226665 59 API calls 2 library calls 98418->99660 98426 214d41 98419->98426 99663 1d8720 59 API calls Mailbox 98419->99663 98421 214b7f 98421->98411 99656 1df803 342 API calls 98421->99656 98437 1f0ff6 Mailbox 59 API calls 98425->98437 98432 214d52 98426->98432 99664 1d8720 59 API calls Mailbox 98426->99664 98427 1e0004 98435 214f00 98427->98435 98436 1e0092 98427->98436 98470 1e02d9 Mailbox _memmove 98427->98470 98428 214c95 98430 1da000 342 API calls 98428->98430 98429 214cdc Mailbox 98429->98410 99662 226c62 59 API calls 2 library calls 98429->99662 98430->98407 98432->98470 99665 226621 59 API calls Mailbox 98432->99665 99674 239d71 60 API calls 98435->99674 98438 1f0ff6 Mailbox 59 API calls 98436->98438 98476 1e0266 _memmove 98437->98476 98442 1e0099 98438->98442 98440->98406 98440->98408 98440->98409 98440->98414 98440->98421 98440->98425 98443 1da000 342 API calls 98440->98443 98451 214c36 98440->98451 98442->98401 99572 1e0b30 98442->99572 98443->98440 98444 214e77 98445 1da000 342 API calls 98444->98445 98447 214eb1 98445->98447 98447->98406 99669 1d8620 98447->99669 98449 1e0112 98449->98401 98449->98425 98456 1e0146 98449->98456 99658 23a0b5 90 API calls 4 library calls 98451->99658 98454 214edc 99673 23a0b5 90 API calls 4 library calls 98454->99673 98460 1d81a7 59 API calls 98456->98460 98462 1e0167 98456->98462 98460->98462 98461 1f0ff6 59 API calls Mailbox 98461->98470 98462->98401 98465 214f4e 98462->98465 98468 1e01ac 98462->98468 98463 1e04f8 98463->97891 98464->98406 99676 23a0b5 90 API calls 4 library calls 98464->99676 99675 1d9e9c 60 API calls Mailbox 98465->99675 98467 1e0238 99649 1d9e9c 60 API calls Mailbox 98467->99649 98468->98401 98468->98464 98468->98467 98470->98401 98470->98444 98470->98454 98470->98461 98470->98463 98471 214e46 98470->98471 99651 1d88a0 68 API calls __cinit 98470->99651 99652 1d87c0 68 API calls 98470->99652 99666 235bd9 68 API calls 98470->99666 99667 1d8b13 69 API calls Mailbox 98470->99667 99668 1d9e9c 60 API calls Mailbox 98470->99668 98474 1f0ff6 Mailbox 59 API calls 98471->98474 98472 1e024b 98472->98401 99650 1d843f 59 API calls Mailbox 98472->99650 98474->98444 98476->98470 98477 1e02c2 98476->98477 99653 1d9df0 59 API calls Mailbox 98476->99653 98477->97891 98478->97906 98479->97908 98480->97912 98482 1df41c 98481->98482 98484 1df59a 98481->98484 98482->98484 98492 1df459 _memmove 98482->98492 98588 23a0b5 90 API calls 4 library calls 98484->98588 98485 1df533 98486 1df543 98485->98486 98587 24a5ee 86 API calls Mailbox 98485->98587 98486->98387 98488 1f0ff6 59 API calls Mailbox 98488->98492 98489 214823 98590 1df803 342 API calls 98489->98590 98490 1da000 342 API calls 98490->98492 98492->98485 98492->98488 98492->98489 98492->98490 98493 2147d3 98492->98493 98494 2147d5 98492->98494 98493->98387 98589 23a0b5 90 API calls 4 library calls 98494->98589 98497 1d77c7 59 API calls 98496->98497 98498 23ce1a 98497->98498 98499 1d77c7 59 API calls 98498->98499 98500 23ce23 98499->98500 98501 23ce37 98500->98501 98724 1d9c9c 59 API calls 98500->98724 98503 1d9997 85 API calls 98501->98503 98504 23ce54 98503->98504 98505 23ce76 98504->98505 98506 23cf55 98504->98506 98511 23cf85 Mailbox 98504->98511 98507 1d9997 85 API calls 98505->98507 98591 1d4f3d 98506->98591 98509 23ce82 98507->98509 98512 1d81a7 59 API calls 98509->98512 98511->98391 98514 23ce8e 98512->98514 98513 1d77c7 59 API calls 98516 23cfb6 98513->98516 98520 23cea2 98514->98520 98521 23ced4 98514->98521 98515 1d4f3d 136 API calls 98517 23cf81 98515->98517 98518 1d77c7 59 API calls 98516->98518 98517->98511 98517->98513 98519 23cfbf 98518->98519 98523 1d77c7 59 API calls 98519->98523 98524 1d81a7 59 API calls 98520->98524 98522 1d9997 85 API calls 98521->98522 98525 23cee1 98522->98525 98526 23cfc8 98523->98526 98527 23ceb2 98524->98527 98528 1d81a7 59 API calls 98525->98528 98529 1d77c7 59 API calls 98526->98529 98530 1d7e0b 59 API calls 98527->98530 98532 23ceed 98528->98532 98533 23cfd1 98529->98533 98531 23cebc 98530->98531 98534 1d9997 85 API calls 98531->98534 98725 234cd3 GetFileAttributesW 98532->98725 98536 1d9997 85 API calls 98533->98536 98537 23cec8 98534->98537 98539 23cfde 98536->98539 98540 1d7c8e 59 API calls 98537->98540 98538 23cef6 98541 23cf09 98538->98541 98544 1d7b52 59 API calls 98538->98544 98542 1d46f9 59 API calls 98539->98542 98540->98521 98543 1d9997 85 API calls 98541->98543 98551 23cf0f 98541->98551 98545 23cff9 98542->98545 98546 23cf36 98543->98546 98544->98541 98547 1d7b52 59 API calls 98545->98547 98726 233a2b 75 API calls Mailbox 98546->98726 98548 23d008 98547->98548 98550 23d03c 98548->98550 98552 1d7b52 59 API calls 98548->98552 98553 1d81a7 59 API calls 98550->98553 98551->98511 98554 23d019 98552->98554 98555 23d04a 98553->98555 98554->98550 98557 1d7d2c 59 API calls 98554->98557 98556 1d7c8e 59 API calls 98555->98556 98558 23d058 98556->98558 98559 23d02e 98557->98559 98560 1d7c8e 59 API calls 98558->98560 98561 1d7d2c 59 API calls 98559->98561 98562 23d066 98560->98562 98561->98550 98563 1d7c8e 59 API calls 98562->98563 98564 23d074 98563->98564 98565 1d9997 85 API calls 98564->98565 98566 23d080 98565->98566 98615 2342ad 98566->98615 98568 23d091 98569 233e73 3 API calls 98568->98569 98570 23d09b 98569->98570 98571 1d9997 85 API calls 98570->98571 98575 23d0cc 98570->98575 98572 23d0b9 98571->98572 98669 2393df 98572->98669 98574 1d4faa 84 API calls 98574->98511 98575->98574 98577 1d4fbb 98576->98577 98578 1d4fb4 98576->98578 98580 1d4fdb FreeLibrary 98577->98580 98581 1d4fca 98577->98581 98579 1f55d6 __fcloseall 83 API calls 98578->98579 98579->98577 98580->98581 98581->98391 98583 24cdf1 131 API calls 98582->98583 98584 24e25b 98583->98584 98584->98391 98585->98391 98586->98389 98587->98486 98588->98493 98589->98493 98590->98493 98727 1d4d13 98591->98727 98596 1d4f68 LoadLibraryExW 98737 1d4cc8 98596->98737 98597 20dd0f 98599 1d4faa 84 API calls 98597->98599 98601 20dd16 98599->98601 98603 1d4cc8 3 API calls 98601->98603 98605 20dd1e 98603->98605 98604 1d4f8f 98604->98605 98606 1d4f9b 98604->98606 98763 1d506b 98605->98763 98608 1d4faa 84 API calls 98606->98608 98610 1d4fa0 98608->98610 98610->98515 98610->98517 98612 20dd45 98771 1d5027 98612->98771 98616 2342c9 98615->98616 98617 2342ce 98616->98617 98618 2342dc 98616->98618 98619 1d81a7 59 API calls 98617->98619 98620 1d77c7 59 API calls 98618->98620 98621 2342d7 Mailbox 98619->98621 98622 2342e4 98620->98622 98621->98568 98623 1d77c7 59 API calls 98622->98623 98624 2342ec 98623->98624 98625 1d77c7 59 API calls 98624->98625 98626 2342f7 98625->98626 98627 1d77c7 59 API calls 98626->98627 98628 2342ff 98627->98628 98629 1d77c7 59 API calls 98628->98629 98630 234307 98629->98630 98631 1d77c7 59 API calls 98630->98631 98632 23430f 98631->98632 98633 1d77c7 59 API calls 98632->98633 98634 234317 98633->98634 98670 2393ec __write_nolock 98669->98670 98671 1f0ff6 Mailbox 59 API calls 98670->98671 98672 239449 98671->98672 98673 1d538e 59 API calls 98672->98673 98674 239453 98673->98674 98675 2391e9 GetSystemTimeAsFileTime 98674->98675 98724->98501 98725->98538 98726->98551 98776 1d4d61 98727->98776 98730 1d4d3a 98732 1d4d4a FreeLibrary 98730->98732 98733 1d4d53 98730->98733 98731 1d4d61 2 API calls 98731->98730 98732->98733 98734 1f548b 98733->98734 98780 1f54a0 98734->98780 98736 1d4f5c 98736->98596 98736->98597 98938 1d4d94 98737->98938 98740 1d4ced 98741 1d4cff FreeLibrary 98740->98741 98742 1d4d08 98740->98742 98741->98742 98744 1d4dd0 98742->98744 98743 1d4d94 2 API calls 98743->98740 98745 1f0ff6 Mailbox 59 API calls 98744->98745 98746 1d4de5 98745->98746 98747 1d538e 59 API calls 98746->98747 98748 1d4df1 _memmove 98747->98748 98750 1d4ee9 98748->98750 98751 1d4f21 98748->98751 98754 1d4e2c 98748->98754 98749 1d5027 69 API calls 98760 1d4e35 98749->98760 98942 1d4fe9 CreateStreamOnHGlobal 98750->98942 98953 239ba5 95 API calls 98751->98953 98754->98749 98755 1d506b 74 API calls 98755->98760 98757 1d4ec9 98757->98604 98758 20dcd0 98759 1d5045 85 API calls 98758->98759 98761 20dce4 98759->98761 98760->98755 98760->98757 98760->98758 98948 1d5045 98760->98948 98762 1d506b 74 API calls 98761->98762 98762->98757 98764 1d507d 98763->98764 98766 20ddf6 98763->98766 98977 1f5812 98764->98977 98768 239393 99175 2391e9 98768->99175 98770 2393a9 98770->98612 98772 1d5036 98771->98772 98775 20ddb9 98771->98775 99180 1f5e90 98772->99180 98774 1d503e 98777 1d4d2e 98776->98777 98778 1d4d6a LoadLibraryA 98776->98778 98777->98730 98777->98731 98778->98777 98779 1d4d7b GetProcAddress 98778->98779 98779->98777 98783 1f54ac _fprintf 98780->98783 98781 1f54bf 98829 1f8d68 58 API calls __getptd_noexit 98781->98829 98783->98781 98785 1f54f0 98783->98785 98784 1f54c4 98830 1f8ff6 9 API calls _fprintf 98784->98830 98799 200738 98785->98799 98788 1f54f5 98789 1f54fe 98788->98789 98790 1f550b 98788->98790 98831 1f8d68 58 API calls __getptd_noexit 98789->98831 98791 1f5535 98790->98791 98792 1f5515 98790->98792 98814 200857 98791->98814 98832 1f8d68 58 API calls __getptd_noexit 98792->98832 98796 1f54cf @_EH4_CallFilterFunc@8 _fprintf 98796->98736 98800 200744 _fprintf 98799->98800 98801 1f9e4b __lock 58 API calls 98800->98801 98811 200752 98801->98811 98802 2007c6 98834 20084e 98802->98834 98803 2007cd 98839 1f8a5d 58 API calls 2 library calls 98803->98839 98806 200843 _fprintf 98806->98788 98807 2007d4 98807->98802 98840 1fa06b InitializeCriticalSectionAndSpinCount 98807->98840 98810 1f9ed3 __mtinitlocknum 58 API calls 98810->98811 98811->98802 98811->98803 98811->98810 98837 1f6e8d 59 API calls __lock 98811->98837 98838 1f6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98811->98838 98812 2007fa EnterCriticalSection 98812->98802 98822 200877 __wopenfile 98814->98822 98815 200891 98845 1f8d68 58 API calls __getptd_noexit 98815->98845 98817 200896 98846 1f8ff6 9 API calls _fprintf 98817->98846 98819 1f5540 98833 1f5562 LeaveCriticalSection LeaveCriticalSection _fseek 98819->98833 98820 200aaf 98842 2087f1 98820->98842 98822->98815 98828 200a4c 98822->98828 98847 1f3a0b 60 API calls 2 library calls 98822->98847 98824 200a45 98824->98828 98848 1f3a0b 60 API calls 2 library calls 98824->98848 98826 200a64 98826->98828 98849 1f3a0b 60 API calls 2 library calls 98826->98849 98828->98815 98828->98820 98829->98784 98830->98796 98831->98796 98832->98796 98833->98796 98841 1f9fb5 LeaveCriticalSection 98834->98841 98836 200855 98836->98806 98837->98811 98838->98811 98839->98807 98840->98812 98841->98836 98850 207fd5 98842->98850 98844 20880a 98844->98819 98845->98817 98846->98819 98847->98824 98848->98826 98849->98828 98851 207fe1 _fprintf 98850->98851 98852 207ff7 98851->98852 98855 20802d 98851->98855 98935 1f8d68 58 API calls __getptd_noexit 98852->98935 98854 207ffc 98936 1f8ff6 9 API calls _fprintf 98854->98936 98861 20809e 98855->98861 98858 208049 98937 208072 LeaveCriticalSection __unlock_fhandle 98858->98937 98860 208006 _fprintf 98860->98844 98862 2080be 98861->98862 98863 1f471a __wsopen_nolock 58 API calls 98862->98863 98866 2080da 98863->98866 98864 1f9006 __invoke_watson 8 API calls 98865 2087f0 98864->98865 98868 207fd5 __wsopen_helper 103 API calls 98865->98868 98867 208114 98866->98867 98874 208137 98866->98874 98934 208211 98866->98934 98869 1f8d34 __wsopen_nolock 58 API calls 98867->98869 98870 20880a 98868->98870 98871 208119 98869->98871 98870->98858 98872 1f8d68 _fprintf 58 API calls 98871->98872 98873 208126 98872->98873 98876 1f8ff6 _fprintf 9 API calls 98873->98876 98875 2081f5 98874->98875 98883 2081d3 98874->98883 98877 1f8d34 __wsopen_nolock 58 API calls 98875->98877 98878 208130 98876->98878 98879 2081fa 98877->98879 98878->98858 98880 1f8d68 _fprintf 58 API calls 98879->98880 98881 208207 98880->98881 98882 1f8ff6 _fprintf 9 API calls 98881->98882 98882->98934 98884 1fd4d4 __alloc_osfhnd 61 API calls 98883->98884 98885 2082a1 98884->98885 98886 2082ab 98885->98886 98887 2082ce 98885->98887 98888 1f8d34 __wsopen_nolock 58 API calls 98886->98888 98889 207f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98887->98889 98890 2082b0 98888->98890 98900 2082f0 98889->98900 98891 1f8d68 _fprintf 58 API calls 98890->98891 98893 2082ba 98891->98893 98892 20836e GetFileType 98894 208379 GetLastError 98892->98894 98895 2083bb 98892->98895 98898 1f8d68 _fprintf 58 API calls 98893->98898 98899 1f8d47 __dosmaperr 58 API calls 98894->98899 98904 1fd76a __set_osfhnd 59 API calls 98895->98904 98896 20833c GetLastError 98897 1f8d47 __dosmaperr 58 API calls 98896->98897 98901 208361 98897->98901 98898->98878 98902 2083a0 CloseHandle 98899->98902 98900->98892 98900->98896 98903 207f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98900->98903 98907 1f8d68 _fprintf 58 API calls 98901->98907 98902->98901 98905 2083ae 98902->98905 98906 208331 98903->98906 98910 2083d9 98904->98910 98908 1f8d68 _fprintf 58 API calls 98905->98908 98906->98892 98906->98896 98907->98934 98909 2083b3 98908->98909 98909->98901 98911 208594 98910->98911 98912 201b11 __lseeki64_nolock 60 API calls 98910->98912 98920 20845a 98910->98920 98913 208767 CloseHandle 98911->98913 98911->98934 98914 208443 98912->98914 98915 207f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98913->98915 98917 1f8d34 __wsopen_nolock 58 API calls 98914->98917 98914->98920 98916 20878e 98915->98916 98918 208796 GetLastError 98916->98918 98919 2087c2 98916->98919 98917->98920 98921 1f8d47 __dosmaperr 58 API calls 98918->98921 98919->98934 98920->98911 98922 20848c 98920->98922 98924 200d2d __close_nolock 61 API calls 98920->98924 98925 2010ab 70 API calls __read_nolock 98920->98925 98928 1fdac6 __write 78 API calls 98920->98928 98929 208611 98920->98929 98930 201b11 60 API calls __lseeki64_nolock 98920->98930 98923 2087a2 98921->98923 98922->98920 98926 2099f2 __chsize_nolock 82 API calls 98922->98926 98927 1fd67d __free_osfhnd 59 API calls 98923->98927 98924->98920 98925->98920 98926->98922 98927->98919 98928->98920 98931 200d2d __close_nolock 61 API calls 98929->98931 98930->98920 98932 208618 98931->98932 98933 1f8d68 _fprintf 58 API calls 98932->98933 98933->98934 98934->98864 98935->98854 98936->98860 98937->98860 98939 1d4ce1 98938->98939 98940 1d4d9d LoadLibraryA 98938->98940 98939->98740 98939->98743 98940->98939 98941 1d4dae GetProcAddress 98940->98941 98941->98939 98943 1d5003 FindResourceExW 98942->98943 98945 1d5020 98942->98945 98944 20dd5c LoadResource 98943->98944 98943->98945 98944->98945 98946 20dd71 SizeofResource 98944->98946 98945->98754 98946->98945 98947 20dd85 LockResource 98946->98947 98947->98945 98949 20ddd4 98948->98949 98950 1d5054 98948->98950 98954 1f5a7d 98950->98954 98952 1d5062 98952->98760 98953->98754 98955 1f5a89 _fprintf 98954->98955 98956 1f5a9b 98955->98956 98957 1f5ac1 98955->98957 98967 1f8d68 58 API calls __getptd_noexit 98956->98967 98969 1f6e4e 98957->98969 98960 1f5aa0 98968 1f8ff6 9 API calls _fprintf 98960->98968 98964 1f5ad6 98976 1f5af8 LeaveCriticalSection LeaveCriticalSection _fseek 98964->98976 98966 1f5aab _fprintf 98966->98952 98967->98960 98968->98966 98970 1f6e5e 98969->98970 98971 1f6e80 EnterCriticalSection 98969->98971 98970->98971 98973 1f6e66 98970->98973 98972 1f5ac7 98971->98972 98975 1f59ee 83 API calls 4 library calls 98972->98975 98974 1f9e4b __lock 58 API calls 98973->98974 98974->98972 98975->98964 98976->98966 98980 1f582d 98977->98980 98979 1d508e 98979->98768 98981 1f5839 _fprintf 98980->98981 98982 1f584f _memset 98981->98982 98983 1f587c 98981->98983 98984 1f5874 _fprintf 98981->98984 99007 1f8d68 58 API calls __getptd_noexit 98982->99007 98985 1f6e4e __lock_file 59 API calls 98983->98985 98984->98979 98986 1f5882 98985->98986 98993 1f564d 98986->98993 98989 1f5869 99008 1f8ff6 9 API calls _fprintf 98989->99008 98996 1f5668 _memset 98993->98996 98999 1f5683 98993->98999 98994 1f5673 99105 1f8d68 58 API calls __getptd_noexit 98994->99105 98996->98994 98996->98999 99003 1f56c3 98996->99003 99009 1f58b6 LeaveCriticalSection LeaveCriticalSection _fseek 98999->99009 99000 1f57d4 _memset 99108 1f8d68 58 API calls __getptd_noexit 99000->99108 99003->98999 99003->99000 99010 1f4916 99003->99010 99017 2010ab 99003->99017 99085 200df7 99003->99085 99107 200f18 58 API calls 3 library calls 99003->99107 99006 1f5678 99106 1f8ff6 9 API calls _fprintf 99006->99106 99007->98989 99008->98984 99009->98984 99011 1f4935 99010->99011 99012 1f4920 99010->99012 99011->99003 99109 1f8d68 58 API calls __getptd_noexit 99012->99109 99014 1f4925 99110 1f8ff6 9 API calls _fprintf 99014->99110 99016 1f4930 99016->99003 99018 2010e3 99017->99018 99019 2010cc 99017->99019 99020 20181b 99018->99020 99024 20111d 99018->99024 99120 1f8d34 58 API calls __getptd_noexit 99019->99120 99136 1f8d34 58 API calls __getptd_noexit 99020->99136 99023 2010d1 99121 1f8d68 58 API calls __getptd_noexit 99023->99121 99027 201125 99024->99027 99034 20113c 99024->99034 99025 201820 99137 1f8d68 58 API calls __getptd_noexit 99025->99137 99122 1f8d34 58 API calls __getptd_noexit 99027->99122 99030 201131 99138 1f8ff6 9 API calls _fprintf 99030->99138 99031 20112a 99123 1f8d68 58 API calls __getptd_noexit 99031->99123 99033 201151 99124 1f8d34 58 API calls __getptd_noexit 99033->99124 99034->99033 99035 20116b 99034->99035 99038 201189 99034->99038 99065 2010d8 99034->99065 99035->99033 99040 201176 99035->99040 99125 1f8a5d 58 API calls 2 library calls 99038->99125 99111 205ebb 99040->99111 99041 201199 99044 2011a1 99041->99044 99045 2011bc 99041->99045 99043 20128a 99046 201303 ReadFile 99043->99046 99049 2012a0 GetConsoleMode 99043->99049 99126 1f8d68 58 API calls __getptd_noexit 99044->99126 99128 201b11 60 API calls 3 library calls 99045->99128 99050 2017e3 GetLastError 99046->99050 99051 201325 99046->99051 99053 201300 99049->99053 99054 2012b4 99049->99054 99055 2017f0 99050->99055 99056 2012e3 99050->99056 99051->99050 99059 2012f5 99051->99059 99052 2011a6 99127 1f8d34 58 API calls __getptd_noexit 99052->99127 99053->99046 99054->99053 99060 2012ba ReadConsoleW 99054->99060 99134 1f8d68 58 API calls __getptd_noexit 99055->99134 99067 2012e9 99056->99067 99129 1f8d47 58 API calls 3 library calls 99056->99129 99059->99067 99068 20135a 99059->99068 99074 2015c7 99059->99074 99060->99059 99062 2012dd GetLastError 99060->99062 99061 2017f5 99135 1f8d34 58 API calls __getptd_noexit 99061->99135 99062->99056 99065->99003 99066 1f2f95 _free 58 API calls 99066->99065 99067->99065 99067->99066 99070 2013c6 ReadFile 99068->99070 99078 201447 99068->99078 99071 2013e7 GetLastError 99070->99071 99084 2013f1 99070->99084 99071->99084 99072 201504 99079 2014b4 MultiByteToWideChar 99072->99079 99132 201b11 60 API calls 3 library calls 99072->99132 99073 2014f4 99131 1f8d68 58 API calls __getptd_noexit 99073->99131 99074->99067 99075 2016cd ReadFile 99074->99075 99077 2016f0 GetLastError 99075->99077 99083 2016fe 99075->99083 99077->99083 99078->99067 99078->99072 99078->99073 99078->99079 99079->99062 99079->99067 99083->99074 99133 201b11 60 API calls 3 library calls 99083->99133 99084->99068 99130 201b11 60 API calls 3 library calls 99084->99130 99086 200e02 99085->99086 99090 200e17 99085->99090 99172 1f8d68 58 API calls __getptd_noexit 99086->99172 99088 200e07 99173 1f8ff6 9 API calls _fprintf 99088->99173 99091 200e4c 99090->99091 99097 200e12 99090->99097 99174 206234 58 API calls __malloc_crt 99090->99174 99093 1f4916 _fprintf 58 API calls 99091->99093 99094 200e60 99093->99094 99139 200f97 99094->99139 99096 200e67 99096->99097 99098 1f4916 _fprintf 58 API calls 99096->99098 99097->99003 99099 200e8a 99098->99099 99099->99097 99100 1f4916 _fprintf 58 API calls 99099->99100 99101 200e96 99100->99101 99101->99097 99102 1f4916 _fprintf 58 API calls 99101->99102 99103 200ea3 99102->99103 99104 1f4916 _fprintf 58 API calls 99103->99104 99104->99097 99105->99006 99106->98999 99107->99003 99108->99006 99109->99014 99110->99016 99112 205ed3 99111->99112 99113 205ec6 99111->99113 99115 205edf 99112->99115 99116 1f8d68 _fprintf 58 API calls 99112->99116 99114 1f8d68 _fprintf 58 API calls 99113->99114 99117 205ecb 99114->99117 99115->99043 99118 205f00 99116->99118 99117->99043 99119 1f8ff6 _fprintf 9 API calls 99118->99119 99119->99117 99120->99023 99121->99065 99122->99031 99123->99030 99124->99031 99125->99041 99126->99052 99127->99065 99128->99040 99129->99067 99130->99084 99131->99067 99132->99079 99133->99083 99134->99061 99135->99067 99136->99025 99137->99030 99138->99065 99140 200fa3 _fprintf 99139->99140 99141 200fb0 99140->99141 99142 200fc7 99140->99142 99143 1f8d34 __wsopen_nolock 58 API calls 99141->99143 99144 20108b 99142->99144 99147 200fdb 99142->99147 99146 200fb5 99143->99146 99145 1f8d34 __wsopen_nolock 58 API calls 99144->99145 99148 200ffe 99145->99148 99149 1f8d68 _fprintf 58 API calls 99146->99149 99150 201006 99147->99150 99151 200ff9 99147->99151 99158 1f8d68 _fprintf 58 API calls 99148->99158 99154 200fbc _fprintf 99149->99154 99152 201013 99150->99152 99153 201028 99150->99153 99155 1f8d34 __wsopen_nolock 58 API calls 99151->99155 99156 1f8d34 __wsopen_nolock 58 API calls 99152->99156 99157 1fd446 ___lock_fhandle 59 API calls 99153->99157 99154->99096 99155->99148 99159 201018 99156->99159 99160 20102e 99157->99160 99164 201020 99158->99164 99161 1f8d68 _fprintf 58 API calls 99159->99161 99162 201041 99160->99162 99163 201054 99160->99163 99161->99164 99165 2010ab __read_nolock 70 API calls 99162->99165 99167 1f8d68 _fprintf 58 API calls 99163->99167 99166 1f8ff6 _fprintf 9 API calls 99164->99166 99168 20104d 99165->99168 99166->99154 99169 201059 99167->99169 99171 201083 __read LeaveCriticalSection 99168->99171 99170 1f8d34 __wsopen_nolock 58 API calls 99169->99170 99170->99168 99171->99154 99172->99088 99173->99097 99174->99091 99178 1f543a GetSystemTimeAsFileTime 99175->99178 99177 2391f8 99177->98770 99179 1f5468 __aulldiv 99178->99179 99179->99177 99181 1f5e9c _fprintf 99180->99181 99182 1f5eae 99181->99182 99183 1f5ec3 99181->99183 99194 1f8d68 58 API calls __getptd_noexit 99182->99194 99184 1f6e4e __lock_file 59 API calls 99183->99184 99186 1f5ec9 99184->99186 99196 1f5b00 67 API calls 5 library calls 99186->99196 99187 1f5eb3 99195 1f8ff6 9 API calls _fprintf 99187->99195 99190 1f5ed4 99197 1f5ef4 LeaveCriticalSection LeaveCriticalSection _fseek 99190->99197 99192 1f5ee6 99193 1f5ebe _fprintf 99192->99193 99193->98774 99194->99187 99195->99193 99196->99190 99197->99192 99557 1d82ef 99556->99557 99560 1d830a 99556->99560 99558 1d7faf 59 API calls 99557->99558 99559 1d82f7 CharUpperBuffW 99558->99559 99559->99560 99560->98400 99562 1df3b1 99561->99562 99563 1df3d2 99562->99563 99677 23a0b5 90 API calls 4 library calls 99562->99677 99563->98440 99566 1d84ed 99565->99566 99567 20f1e6 99565->99567 99568 1f0ff6 Mailbox 59 API calls 99566->99568 99570 1d84f4 99568->99570 99569 1d8515 99569->98419 99569->98427 99570->99569 99678 1d8794 59 API calls Mailbox 99570->99678 99573 2150ed 99572->99573 99587 1e0b55 99572->99587 99721 23a0b5 90 API calls 4 library calls 99573->99721 99575 1e0e44 99576 1e0e5a 99575->99576 99718 1e11d0 10 API calls Mailbox 99575->99718 99576->98449 99578 1e1044 99578->99576 99580 1e1051 99578->99580 99719 1e11f3 342 API calls Mailbox 99580->99719 99581 1e0bab PeekMessageW 99602 1e0b65 Mailbox 99581->99602 99583 1e1058 LockWindowUpdate DestroyWindow GetMessageW 99583->99576 99586 1e108a 99583->99586 99585 2152ab Sleep 99585->99602 99588 216082 TranslateMessage DispatchMessageW GetMessageW 99586->99588 99587->99602 99722 1d9fbd 60 API calls 99587->99722 99723 2268bf 342 API calls 99587->99723 99588->99588 99590 2160b2 99588->99590 99590->99576 99591 1e0fbf TranslateMessage DispatchMessageW 99592 1e0fa3 PeekMessageW 99591->99592 99592->99602 99593 21517a TranslateAcceleratorW 99593->99592 99593->99602 99594 215c49 WaitForSingleObject 99598 215c66 GetExitCodeProcess CloseHandle 99594->99598 99594->99602 99595 1e0fee Mailbox 99601 1d77c7 59 API calls 99595->99601 99595->99602 99607 1f0719 timeGetTime 99595->99607 99609 1e10f5 99595->99609 99612 215fb9 GetExitCodeProcess 99595->99612 99614 2561ac 111 API calls 99595->99614 99615 1db93d 110 API calls 99595->99615 99620 215c9e 99595->99620 99621 2154a2 Sleep 99595->99621 99622 216041 Sleep 99595->99622 99624 1d7f41 59 API calls 99595->99624 99730 2328f7 60 API calls 99595->99730 99731 1d9fbd 60 API calls 99595->99731 99732 1d8b13 69 API calls Mailbox 99595->99732 99733 1db89c 342 API calls 99595->99733 99734 226a50 60 API calls 99595->99734 99735 2354e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 99595->99735 99736 233e91 66 API calls Mailbox 99595->99736 99597 1e0e73 timeGetTime 99597->99602 99598->99609 99599 1e0fdd Sleep 99599->99595 99600 1d81a7 59 API calls 99600->99602 99601->99595 99602->99575 99602->99581 99602->99585 99602->99591 99602->99592 99602->99593 99602->99594 99602->99595 99602->99597 99602->99599 99602->99600 99603 215f22 Sleep 99602->99603 99605 1f0ff6 59 API calls Mailbox 99602->99605 99608 1e10ae timeGetTime 99602->99608 99602->99609 99613 1d9997 85 API calls 99602->99613 99626 1d9fbd 60 API calls 99602->99626 99630 1df5c0 315 API calls 99602->99630 99631 1dfe40 315 API calls 99602->99631 99634 1d7f41 59 API calls 99602->99634 99635 23a0b5 90 API calls 99602->99635 99637 1d9df0 59 API calls Mailbox 99602->99637 99638 1db89c 315 API calls 99602->99638 99639 1da000 315 API calls 99602->99639 99641 1d8620 69 API calls 99602->99641 99642 2266f4 59 API calls Mailbox 99602->99642 99643 1d8b13 69 API calls 99602->99643 99644 2159ff VariantClear 99602->99644 99645 215a95 VariantClear 99602->99645 99646 1d8e34 59 API calls Mailbox 99602->99646 99647 215843 VariantClear 99602->99647 99648 227405 59 API calls 99602->99648 99679 1de580 99602->99679 99686 1de800 99602->99686 99717 1d31ce IsDialogMessageW GetClassLongW 99602->99717 99724 25629f 59 API calls 99602->99724 99725 239c9f 59 API calls Mailbox 99602->99725 99726 22d9e3 59 API calls 99602->99726 99727 226665 59 API calls 2 library calls 99602->99727 99728 1d8561 59 API calls 99602->99728 99729 1d843f 59 API calls Mailbox 99602->99729 99603->99595 99605->99602 99607->99595 99720 1d9fbd 60 API calls 99608->99720 99609->98449 99616 215fe5 CloseHandle 99612->99616 99617 215fcf WaitForSingleObject 99612->99617 99613->99602 99614->99595 99615->99595 99616->99595 99617->99602 99617->99616 99620->99609 99621->99602 99622->99602 99624->99595 99626->99602 99630->99602 99631->99602 99634->99602 99635->99602 99637->99602 99638->99602 99639->99602 99641->99602 99642->99602 99643->99602 99644->99602 99645->99602 99646->99602 99647->99602 99648->99602 99649->98472 99650->98476 99651->98470 99652->98470 99653->98476 99654->98402 99655->98406 99656->98411 99657->98406 99658->98406 99659->98418 99660->98428 99661->98429 99662->98429 99663->98426 99664->98432 99665->98470 99666->98470 99667->98470 99668->98470 99670 1d862b 99669->99670 99672 1d8652 99670->99672 99748 1d8b13 69 API calls Mailbox 99670->99748 99672->98454 99673->98406 99674->98456 99675->98464 99676->98406 99677->99563 99678->99569 99680 1de59d 99679->99680 99681 1de5b1 99679->99681 99737 1de060 342 API calls 2 library calls 99680->99737 99738 23a0b5 90 API calls 4 library calls 99681->99738 99683 1de5a8 99683->99602 99685 213ece 99685->99685 99687 1de835 99686->99687 99688 213ed3 99687->99688 99691 1de89f 99687->99691 99701 1de8f9 99687->99701 99689 1da000 342 API calls 99688->99689 99690 213ee8 99689->99690 99715 1dead0 Mailbox 99690->99715 99740 23a0b5 90 API calls 4 library calls 99690->99740 99694 1d77c7 59 API calls 99691->99694 99691->99701 99692 1d77c7 59 API calls 99692->99701 99695 213f2e 99694->99695 99697 1f2f80 __cinit 67 API calls 99695->99697 99696 1f2f80 __cinit 67 API calls 99696->99701 99697->99701 99698 213f50 99698->99602 99699 1d8620 69 API calls 99699->99715 99700 1da000 342 API calls 99700->99715 99701->99692 99701->99696 99701->99698 99703 1deaba 99701->99703 99701->99715 99703->99715 99741 23a0b5 90 API calls 4 library calls 99703->99741 99707 1df2f5 99745 23a0b5 90 API calls 4 library calls 99707->99745 99708 23a0b5 90 API calls 99708->99715 99709 21424f 99709->99602 99710 1d8ea0 59 API calls 99710->99715 99715->99699 99715->99700 99715->99707 99715->99708 99715->99710 99716 1debd8 99715->99716 99739 1d80d7 59 API calls 2 library calls 99715->99739 99742 227405 59 API calls 99715->99742 99743 24c8d7 342 API calls 99715->99743 99744 24b851 342 API calls Mailbox 99715->99744 99746 1d9df0 59 API calls Mailbox 99715->99746 99747 2496db 342 API calls Mailbox 99715->99747 99716->99602 99717->99602 99718->99578 99719->99583 99720->99602 99721->99587 99722->99587 99723->99587 99724->99602 99725->99602 99726->99602 99727->99602 99728->99602 99729->99602 99730->99595 99731->99595 99732->99595 99733->99595 99734->99595 99735->99595 99736->99595 99737->99683 99738->99685 99739->99715 99740->99715 99741->99715 99742->99715 99743->99715 99744->99715 99745->99709 99746->99715 99747->99715 99748->99672 99750 22665e 99749->99750 99751 226641 99749->99751 99750->97916 99751->99750 99753 226621 59 API calls Mailbox 99751->99753 99753->99751 99754->97929 99755 210226 99761 1dade2 Mailbox 99755->99761 99757 210c86 99758 2266f4 Mailbox 59 API calls 99757->99758 99759 210c8f 99758->99759 99761->99757 99761->99759 99762 2100e0 VariantClear 99761->99762 99763 1db6c1 99761->99763 99765 24e237 131 API calls 99761->99765 99766 23d2e6 102 API calls 99761->99766 99767 24474d 342 API calls 99761->99767 99768 1e2123 96 API calls 99761->99768 99769 1d9df0 59 API calls Mailbox 99761->99769 99770 227405 59 API calls 99761->99770 99762->99761 99771 23a0b5 90 API calls 4 library calls 99763->99771 99765->99761 99766->99761 99767->99761 99768->99761 99769->99761 99770->99761 99771->99757 99772 1d1055 99777 1d2649 99772->99777 99775 1f2f80 __cinit 67 API calls 99776 1d1064 99775->99776 99778 1d77c7 59 API calls 99777->99778 99779 1d26b7 99778->99779 99784 1d3582 99779->99784 99782 1d2754 99783 1d105a 99782->99783 99787 1d3416 59 API calls 2 library calls 99782->99787 99783->99775 99788 1d35b0 99784->99788 99787->99782 99789 1d35bd 99788->99789 99790 1d35a1 99788->99790 99789->99790 99791 1d35c4 RegOpenKeyExW 99789->99791 99790->99782 99791->99790 99792 1d35de RegQueryValueExW 99791->99792 99793 1d35ff 99792->99793 99794 1d3614 RegCloseKey 99792->99794 99793->99794 99794->99790 99795 1d1016 99800 1d4ad2 99795->99800 99798 1f2f80 __cinit 67 API calls 99799 1d1025 99798->99799 99801 1f0ff6 Mailbox 59 API calls 99800->99801 99802 1d4ada 99801->99802 99803 1d101b 99802->99803 99807 1d4a94 99802->99807 99803->99798 99808 1d4a9d 99807->99808 99810 1d4aaf 99807->99810 99809 1f2f80 __cinit 67 API calls 99808->99809 99809->99810 99811 1d4afe 99810->99811 99812 1d77c7 59 API calls 99811->99812 99813 1d4b16 GetVersionExW 99812->99813 99814 1d7d2c 59 API calls 99813->99814 99815 1d4b59 99814->99815 99816 1d7e8c 59 API calls 99815->99816 99825 1d4b86 99815->99825 99817 1d4b7a 99816->99817 99818 1d7886 59 API calls 99817->99818 99818->99825 99819 1d4bf1 GetCurrentProcess IsWow64Process 99820 1d4c0a 99819->99820 99822 1d4c89 GetSystemInfo 99820->99822 99823 1d4c20 99820->99823 99821 20dc8d 99824 1d4c56 99822->99824 99835 1d4c95 99823->99835 99824->99803 99825->99819 99825->99821 99828 1d4c7d GetSystemInfo 99831 1d4c47 99828->99831 99829 1d4c32 99830 1d4c95 2 API calls 99829->99830 99832 1d4c3a GetNativeSystemInfo 99830->99832 99831->99824 99833 1d4c4d FreeLibrary 99831->99833 99832->99831 99833->99824 99836 1d4c2e 99835->99836 99837 1d4c9e LoadLibraryA 99835->99837 99836->99828 99836->99829 99837->99836 99838 1d4caf GetProcAddress 99837->99838 99838->99836 99839 1f7e93 99840 1f7e9f _fprintf 99839->99840 99876 1fa048 GetStartupInfoW 99840->99876 99843 1f7ea4 99878 1f8dbc GetProcessHeap 99843->99878 99844 1f7efc 99845 1f7f07 99844->99845 99961 1f7fe3 58 API calls 3 library calls 99844->99961 99879 1f9d26 99845->99879 99848 1f7f0d 99849 1f7f18 __RTC_Initialize 99848->99849 99962 1f7fe3 58 API calls 3 library calls 99848->99962 99900 1fd812 99849->99900 99852 1f7f27 99853 1f7f33 GetCommandLineW 99852->99853 99963 1f7fe3 58 API calls 3 library calls 99852->99963 99919 205173 GetEnvironmentStringsW 99853->99919 99856 1f7f32 99856->99853 99859 1f7f4d 99860 1f7f58 99859->99860 99964 1f32f5 58 API calls 3 library calls 99859->99964 99929 204fa8 99860->99929 99863 1f7f5e 99864 1f7f69 99863->99864 99965 1f32f5 58 API calls 3 library calls 99863->99965 99943 1f332f 99864->99943 99867 1f7f71 99868 1f7f7c __wwincmdln 99867->99868 99966 1f32f5 58 API calls 3 library calls 99867->99966 99949 1d492e 99868->99949 99871 1f7f90 99872 1f7f9f 99871->99872 99967 1f3598 58 API calls _doexit 99871->99967 99968 1f3320 58 API calls _doexit 99872->99968 99875 1f7fa4 _fprintf 99877 1fa05e 99876->99877 99877->99843 99878->99844 99969 1f33c7 36 API calls 2 library calls 99879->99969 99881 1f9d2b 99970 1f9f7c InitializeCriticalSectionAndSpinCount __mtinitlocknum 99881->99970 99883 1f9d30 99884 1f9d34 99883->99884 99972 1f9fca TlsAlloc 99883->99972 99971 1f9d9c 61 API calls 2 library calls 99884->99971 99887 1f9d46 99887->99884 99889 1f9d51 99887->99889 99888 1f9d39 99888->99848 99973 1f8a15 99889->99973 99892 1f9d93 99981 1f9d9c 61 API calls 2 library calls 99892->99981 99895 1f9d72 99895->99892 99897 1f9d78 99895->99897 99896 1f9d98 99896->99848 99980 1f9c73 58 API calls 4 library calls 99897->99980 99899 1f9d80 GetCurrentThreadId 99899->99848 99901 1fd81e _fprintf 99900->99901 99902 1f9e4b __lock 58 API calls 99901->99902 99903 1fd825 99902->99903 99904 1f8a15 __calloc_crt 58 API calls 99903->99904 99906 1fd836 99904->99906 99905 1fd8a1 GetStartupInfoW 99913 1fd8b6 99905->99913 99914 1fd9e5 99905->99914 99906->99905 99907 1fd841 @_EH4_CallFilterFunc@8 _fprintf 99906->99907 99907->99852 99908 1fdaad 99995 1fdabd LeaveCriticalSection _doexit 99908->99995 99910 1f8a15 __calloc_crt 58 API calls 99910->99913 99911 1fda32 GetStdHandle 99911->99914 99912 1fda45 GetFileType 99912->99914 99913->99910 99913->99914 99916 1fd904 99913->99916 99914->99908 99914->99911 99914->99912 99994 1fa06b InitializeCriticalSectionAndSpinCount 99914->99994 99915 1fd938 GetFileType 99915->99916 99916->99914 99916->99915 99993 1fa06b InitializeCriticalSectionAndSpinCount 99916->99993 99920 205184 99919->99920 99921 1f7f43 99919->99921 99996 1f8a5d 58 API calls 2 library calls 99920->99996 99925 204d6b GetModuleFileNameW 99921->99925 99923 2051c0 FreeEnvironmentStringsW 99923->99921 99924 2051aa _memmove 99924->99923 99926 204d9f _wparse_cmdline 99925->99926 99928 204ddf _wparse_cmdline 99926->99928 99997 1f8a5d 58 API calls 2 library calls 99926->99997 99928->99859 99930 204fb9 99929->99930 99931 204fc1 __NMSG_WRITE 99929->99931 99930->99863 99932 1f8a15 __calloc_crt 58 API calls 99931->99932 99939 204fea __NMSG_WRITE 99932->99939 99933 205041 99934 1f2f95 _free 58 API calls 99933->99934 99934->99930 99935 1f8a15 __calloc_crt 58 API calls 99935->99939 99936 205066 99938 1f2f95 _free 58 API calls 99936->99938 99938->99930 99939->99930 99939->99933 99939->99935 99939->99936 99940 20507d 99939->99940 99998 204857 58 API calls _fprintf 99939->99998 99999 1f9006 IsProcessorFeaturePresent 99940->99999 99942 205089 99942->99863 99945 1f333b __IsNonwritableInCurrentImage 99943->99945 100014 1fa711 99945->100014 99946 1f3359 __initterm_e 99947 1f2f80 __cinit 67 API calls 99946->99947 99948 1f3378 _doexit __IsNonwritableInCurrentImage 99946->99948 99947->99948 99948->99867 99950 1d4948 99949->99950 99951 1d49e7 99949->99951 99952 1d4982 IsThemeActive 99950->99952 99951->99871 100017 1f35ac 99952->100017 99956 1d49ae 100029 1d4a5b SystemParametersInfoW SystemParametersInfoW 99956->100029 99958 1d49ba 100030 1d3b4c 99958->100030 99961->99845 99962->99849 99963->99856 99967->99872 99968->99875 99969->99881 99970->99883 99971->99888 99972->99887 99976 1f8a1c 99973->99976 99975 1f8a57 99975->99892 99979 1fa026 TlsSetValue 99975->99979 99976->99975 99977 1f8a3a 99976->99977 99982 205446 99976->99982 99977->99975 99977->99976 99990 1fa372 Sleep 99977->99990 99979->99895 99980->99899 99981->99896 99983 205451 99982->99983 99988 20546c 99982->99988 99984 20545d 99983->99984 99983->99988 99991 1f8d68 58 API calls __getptd_noexit 99984->99991 99985 20547c HeapAlloc 99987 205462 99985->99987 99985->99988 99987->99976 99988->99985 99988->99987 99992 1f35e1 DecodePointer 99988->99992 99990->99977 99991->99987 99992->99988 99993->99916 99994->99914 99995->99907 99996->99924 99997->99928 99998->99939 100000 1f9011 99999->100000 100005 1f8e99 100000->100005 100004 1f902c 100004->99942 100006 1f8eb3 _memset ___raise_securityfailure 100005->100006 100007 1f8ed3 IsDebuggerPresent 100006->100007 100013 1fa395 SetUnhandledExceptionFilter UnhandledExceptionFilter 100007->100013 100009 1fc836 __atodbl_l 6 API calls 100011 1f8fba 100009->100011 100010 1f8f97 ___raise_securityfailure 100010->100009 100012 1fa380 GetCurrentProcess TerminateProcess 100011->100012 100012->100004 100013->100010 100015 1fa714 EncodePointer 100014->100015 100015->100015 100016 1fa72e 100015->100016 100016->99946 100018 1f9e4b __lock 58 API calls 100017->100018 100019 1f35b7 DecodePointer EncodePointer 100018->100019 100082 1f9fb5 LeaveCriticalSection 100019->100082 100021 1d49a7 100022 1f3614 100021->100022 100023 1f361e 100022->100023 100024 1f3638 100022->100024 100023->100024 100083 1f8d68 58 API calls __getptd_noexit 100023->100083 100024->99956 100026 1f3628 100084 1f8ff6 9 API calls _fprintf 100026->100084 100028 1f3633 100028->99956 100029->99958 100031 1d3b59 __write_nolock 100030->100031 100032 1d77c7 59 API calls 100031->100032 100033 1d3b63 GetCurrentDirectoryW 100032->100033 100085 1d3778 100033->100085 100082->100021 100083->100026 100084->100028 100086 1d77c7 59 API calls 100085->100086 100087 1d378e 100086->100087 100220 1d3d43 100087->100220 100089 1d37ac 100090 1d4864 61 API calls 100089->100090 100091 1d37c0 100090->100091 100092 1d7f41 59 API calls 100091->100092 100093 1d37cd 100092->100093 100094 1d4f3d 136 API calls 100093->100094 100095 1d37e6 100094->100095 100096 1d37ee Mailbox 100095->100096 100097 20d3ae 100095->100097 100101 1d81a7 59 API calls 100096->100101 100262 2397e5 100097->100262 100100 20d3cd 100103 1f2f95 _free 58 API calls 100100->100103 100104 1d3801 100101->100104 100102 1d4faa 84 API calls 100102->100100 100105 20d3da 100103->100105 100234 1d93ea 100104->100234 100107 1d4faa 84 API calls 100105->100107 100109 20d3e3 100107->100109 100113 1d3ee2 59 API calls 100109->100113 100110 1d7f41 59 API calls 100111 1d381a 100110->100111 100112 1d8620 69 API calls 100111->100112 100114 1d382c Mailbox 100112->100114 100116 20d3fe 100113->100116 100115 1d7f41 59 API calls 100114->100115 100118 1d3852 100115->100118 100117 1d3ee2 59 API calls 100116->100117 100119 20d41a 100117->100119 100120 1d8620 69 API calls 100118->100120 100121 1d4864 61 API calls 100119->100121 100123 1d3861 Mailbox 100120->100123 100122 20d43f 100121->100122 100124 1d3ee2 59 API calls 100122->100124 100126 1d77c7 59 API calls 100123->100126 100125 20d44b 100124->100125 100127 1d81a7 59 API calls 100125->100127 100128 1d387f 100126->100128 100129 20d459 100127->100129 100237 1d3ee2 100128->100237 100131 1d3ee2 59 API calls 100129->100131 100133 20d468 100131->100133 100139 1d81a7 59 API calls 100133->100139 100135 1d3899 100135->100109 100136 1d38a3 100135->100136 100221 1d3d50 __write_nolock 100220->100221 100222 1d7d2c 59 API calls 100221->100222 100224 1d3eb6 Mailbox 100221->100224 100225 1d3d82 100222->100225 100223 1d7b52 59 API calls 100223->100225 100224->100089 100225->100223 100233 1d3db8 Mailbox 100225->100233 100226 1d7b52 59 API calls 100226->100233 100227 1d3e89 100227->100224 100228 1d7f41 59 API calls 100227->100228 100230 1d3eaa 100228->100230 100229 1d7f41 59 API calls 100229->100233 100231 1d3f84 59 API calls 100230->100231 100231->100224 100232 1d3f84 59 API calls 100232->100233 100233->100224 100233->100226 100233->100227 100233->100229 100233->100232 100235 1f0ff6 Mailbox 59 API calls 100234->100235 100236 1d380d 100235->100236 100236->100110 100238 1d3eec 100237->100238 100239 1d3f05 100237->100239 100240 1d81a7 59 API calls 100238->100240 100241 1d7d2c 59 API calls 100239->100241 100242 1d388b 100240->100242 100241->100242 100243 1f313d 100242->100243 100244 1f31be 100243->100244 100245 1f3149 100243->100245 100299 1f31d0 60 API calls 3 library calls 100244->100299 100249 1f316e 100245->100249 100297 1f8d68 58 API calls __getptd_noexit 100245->100297 100248 1f31cb 100248->100135 100249->100135 100250 1f3155 100263 1d5045 85 API calls 100262->100263 100264 239854 100263->100264 100265 2399be 96 API calls 100264->100265 100266 239866 100265->100266 100267 1d506b 74 API calls 100266->100267 100295 20d3c1 100266->100295 100268 239881 100267->100268 100269 1d506b 74 API calls 100268->100269 100270 239891 100269->100270 100271 1d506b 74 API calls 100270->100271 100272 2398ac 100271->100272 100273 1d506b 74 API calls 100272->100273 100274 2398c7 100273->100274 100275 1d5045 85 API calls 100274->100275 100276 2398de 100275->100276 100277 1f594c std::exception::_Copy_str 58 API calls 100276->100277 100278 2398e5 100277->100278 100279 1f594c std::exception::_Copy_str 58 API calls 100278->100279 100280 2398ef 100279->100280 100281 1d506b 74 API calls 100280->100281 100282 239903 100281->100282 100283 239393 GetSystemTimeAsFileTime 100282->100283 100284 239916 100283->100284 100295->100100 100295->100102 100297->100250 100299->100248 100535 1d3633 100536 1d366a 100535->100536 100537 1d3688 100536->100537 100538 1d36e7 100536->100538 100539 1d36e5 100536->100539 100540 1d375d PostQuitMessage 100537->100540 100541 1d3695 100537->100541 100543 1d36ed 100538->100543 100544 20d31c 100538->100544 100542 1d36ca DefWindowProcW 100539->100542 100550 1d36d8 100540->100550 100547 1d36a0 100541->100547 100548 20d38f 100541->100548 100542->100550 100545 1d3715 SetTimer RegisterWindowMessageW 100543->100545 100546 1d36f2 100543->100546 100585 1e11d0 10 API calls Mailbox 100544->100585 100545->100550 100553 1d373e CreatePopupMenu I_RpcFreeBuffer 100545->100553 100551 1d36f9 KillTimer 100546->100551 100552 20d2bf 100546->100552 100554 1d36a8 100547->100554 100555 1d3767 100547->100555 100589 232a16 71 API calls _memset 100548->100589 100580 1d44cb Shell_NotifyIconW _memset 100551->100580 100558 20d2c4 100552->100558 100559 20d2f8 MoveWindow 100552->100559 100561 1d374b 100553->100561 100562 20d374 100554->100562 100563 1d36b3 100554->100563 100583 1d4531 64 API calls _memset 100555->100583 100557 20d343 100586 1e11f3 342 API calls Mailbox 100557->100586 100567 20d2e7 SetFocus 100558->100567 100568 20d2c8 100558->100568 100559->100550 100582 1d45df 81 API calls _memset 100561->100582 100562->100542 100588 22817e 59 API calls Mailbox 100562->100588 100563->100561 100571 1d36be 100563->100571 100564 20d3a1 100564->100542 100564->100550 100567->100550 100568->100571 100573 20d2d1 100568->100573 100569 1d370c 100581 1d3114 DeleteObject DestroyWindow Mailbox 100569->100581 100571->100542 100587 1d44cb Shell_NotifyIconW _memset 100571->100587 100572 1d375b 100572->100550 100584 1e11d0 10 API calls Mailbox 100573->100584 100578 20d368 100579 1d43db 68 API calls 100578->100579 100579->100539 100580->100569 100581->100550 100582->100572 100583->100572 100584->100550 100585->100557 100586->100571 100587->100578 100588->100539 100589->100564 100590 21220e GetTempPathW 100591 21222b 100590->100591 100592 1db56e 100599 1efb84 100592->100599 100594 1db584 100595 1dc707 69 API calls 100594->100595 100596 1db5ac 100595->100596 100597 1da4e8 100596->100597 100608 23a0b5 90 API calls 4 library calls 100596->100608 100600 1efba2 100599->100600 100601 1efb90 100599->100601 100603 1efba8 100600->100603 100604 1efbd1 100600->100604 100609 1d9e9c 60 API calls Mailbox 100601->100609 100605 1f0ff6 Mailbox 59 API calls 100603->100605 100610 1d9e9c 60 API calls Mailbox 100604->100610 100607 1efb9a 100605->100607 100607->100594 100608->100597 100609->100607 100610->100607 100611 1de70b 100614 1dd260 100611->100614 100613 1de719 100615 1dd27d 100614->100615 100643 1dd4dd 100614->100643 100616 212abb 100615->100616 100617 212b0a 100615->100617 100636 1dd2a4 100615->100636 100620 212abe 100616->100620 100627 212ad9 100616->100627 100658 24a6fb 342 API calls __cinit 100617->100658 100621 212aca 100620->100621 100620->100636 100656 24ad0f 342 API calls 100621->100656 100623 1f2f80 __cinit 67 API calls 100623->100636 100625 212cdf 100625->100625 100626 1dd6ab 100626->100613 100627->100643 100657 24b1b7 342 API calls 3 library calls 100627->100657 100628 1dd594 100650 1d8bb2 68 API calls 100628->100650 100632 1dd5a3 100632->100613 100633 212c26 100662 24aa66 90 API calls 100633->100662 100636->100623 100636->100626 100636->100628 100636->100633 100638 1d8620 69 API calls 100636->100638 100636->100643 100645 1da000 342 API calls 100636->100645 100646 1d81a7 59 API calls 100636->100646 100648 1d88a0 68 API calls __cinit 100636->100648 100649 1d86a2 68 API calls 100636->100649 100651 1d859a 68 API calls 100636->100651 100652 1dd0dc 342 API calls 100636->100652 100653 1d9f3a 59 API calls Mailbox 100636->100653 100654 1dd060 90 API calls 100636->100654 100655 1dcedd 342 API calls 100636->100655 100659 1d8bb2 68 API calls 100636->100659 100660 1d9e9c 60 API calls Mailbox 100636->100660 100661 226d03 60 API calls 100636->100661 100638->100636 100643->100626 100663 23a0b5 90 API calls 4 library calls 100643->100663 100645->100636 100646->100636 100648->100636 100649->100636 100650->100632 100651->100636 100652->100636 100653->100636 100654->100636 100655->100636 100656->100626 100657->100643 100658->100636 100659->100636 100660->100636 100661->100636 100662->100643 100663->100625 100664 1d568a 100665 1d5c18 59 API calls 100664->100665 100666 1d569c 100665->100666 100667 1d5632 61 API calls 100666->100667 100668 1d56aa 100667->100668 100670 1d56ba Mailbox 100668->100670 100671 1d81c1 61 API calls Mailbox 100668->100671 100671->100670 100672 19824e0 100687 1980000 100672->100687 100674 1982590 100690 1982300 100674->100690 100693 19835f0 GetPEB 100687->100693 100689 198068b 100689->100674 100691 198230d Sleep 100690->100691 100692 198231c 100691->100692 100694 198361a 100693->100694 100694->100689 100695 1d1066 100700 1df8cf 100695->100700 100697 1d106c 100698 1f2f80 __cinit 67 API calls 100697->100698 100699 1d1076 100698->100699 100701 1df8f0 100700->100701 100733 1f0143 100701->100733 100705 1df937 100706 1d77c7 59 API calls 100705->100706 100707 1df941 100706->100707 100708 1d77c7 59 API calls 100707->100708 100709 1df94b 100708->100709 100710 1d77c7 59 API calls 100709->100710 100711 1df955 100710->100711 100712 1d77c7 59 API calls 100711->100712 100713 1df993 100712->100713 100714 1d77c7 59 API calls 100713->100714 100715 1dfa5e 100714->100715 100743 1e60e7 100715->100743 100719 1dfa90 100720 1d77c7 59 API calls 100719->100720 100721 1dfa9a 100720->100721 100771 1effde 100721->100771 100723 1dfae1 100724 1dfaf1 GetStdHandle 100723->100724 100725 1dfb3d 100724->100725 100726 2149d5 100724->100726 100727 1dfb45 OleInitialize 100725->100727 100726->100725 100728 2149de 100726->100728 100727->100697 100778 236dda 64 API calls Mailbox 100728->100778 100730 2149e5 100779 2374a9 CreateThread 100730->100779 100732 2149f1 CloseHandle 100732->100727 100780 1f021c 100733->100780 100736 1f021c 59 API calls 100737 1f0185 100736->100737 100738 1d77c7 59 API calls 100737->100738 100739 1f0191 100738->100739 100740 1d7d2c 59 API calls 100739->100740 100741 1df8f6 100740->100741 100742 1f03a2 6 API calls 100741->100742 100742->100705 100744 1d77c7 59 API calls 100743->100744 100745 1e60f7 100744->100745 100746 1d77c7 59 API calls 100745->100746 100747 1e60ff 100746->100747 100787 1e5bfd 100747->100787 100750 1e5bfd 59 API calls 100751 1e610f 100750->100751 100752 1d77c7 59 API calls 100751->100752 100753 1e611a 100752->100753 100754 1f0ff6 Mailbox 59 API calls 100753->100754 100755 1dfa68 100754->100755 100756 1e6259 100755->100756 100757 1e6267 100756->100757 100758 1d77c7 59 API calls 100757->100758 100759 1e6272 100758->100759 100760 1d77c7 59 API calls 100759->100760 100761 1e627d 100760->100761 100762 1d77c7 59 API calls 100761->100762 100763 1e6288 100762->100763 100764 1d77c7 59 API calls 100763->100764 100765 1e6293 100764->100765 100766 1e5bfd 59 API calls 100765->100766 100767 1e629e 100766->100767 100768 1f0ff6 Mailbox 59 API calls 100767->100768 100769 1e62a5 RegisterWindowMessageW 100768->100769 100769->100719 100772 1effee 100771->100772 100773 225cc3 100771->100773 100775 1f0ff6 Mailbox 59 API calls 100772->100775 100790 239d71 60 API calls 100773->100790 100777 1efff6 100775->100777 100776 225cce 100777->100723 100778->100730 100779->100732 100791 23748f 65 API calls 100779->100791 100781 1d77c7 59 API calls 100780->100781 100782 1f0227 100781->100782 100783 1d77c7 59 API calls 100782->100783 100784 1f022f 100783->100784 100785 1d77c7 59 API calls 100784->100785 100786 1f017b 100785->100786 100786->100736 100788 1d77c7 59 API calls 100787->100788 100789 1e5c05 100788->100789 100789->100750 100790->100776

                                  Executed Functions

                                  Function 001D3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001D3B7A
                                  • IsDebuggerPresent.KERNEL32 ref: 001D3B8C
                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,002962F8,002962E0,?,?), ref: 001D3BFD
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                    • Part of subcall function 001E0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001D3C26,002962F8,?,?,?), ref: 001E0ACE
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 001D3C81
                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002893F0,00000010), ref: 0020D4BC
                                  • SetCurrentDirectoryW.KERNEL32(?,002962F8,?,?,?), ref: 0020D4F4
                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00285D40,002962F8,?,?,?), ref: 0020D57A
                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 0020D581
                                    • Part of subcall function 001D3A58: GetSysColorBrush.USER32(0000000F), ref: 001D3A62
                                    • Part of subcall function 001D3A58: LoadCursorW.USER32(00000000,00007F00), ref: 001D3A71
                                    • Part of subcall function 001D3A58: LoadIconW.USER32(00000063), ref: 001D3A88
                                    • Part of subcall function 001D3A58: LoadIconW.USER32(000000A4), ref: 001D3A9A
                                    • Part of subcall function 001D3A58: LoadIconW.USER32(000000A2), ref: 001D3AAC
                                    • Part of subcall function 001D3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001D3AD2
                                    • Part of subcall function 001D3A58: RegisterClassExW.USER32(?), ref: 001D3B28
                                    • Part of subcall function 001D39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001D3A15
                                    • Part of subcall function 001D39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001D3A36
                                    • Part of subcall function 001D39E7: ShowWindow.USER32(00000000,?,?), ref: 001D3A4A
                                    • Part of subcall function 001D39E7: ShowWindow.USER32(00000000,?,?), ref: 001D3A53
                                    • Part of subcall function 001D43DB: _memset.LIBCMT ref: 001D4401
                                    • Part of subcall function 001D43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001D44A6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                  • String ID: This is a third-party compiled AutoIt script.$runas$%&
                                  • API String ID: 529118366-2051818760
                                  • Opcode ID: ba88dc2f97eca78ff307305e057d70526340b75d19e8524b7bfe60317e3dfc37
                                  • Instruction ID: 02d3d2fa225d75e10c45ccea71f9b8369e26ecb14a95c300cf387bf259a03b3b
                                  • Opcode Fuzzy Hash: ba88dc2f97eca78ff307305e057d70526340b75d19e8524b7bfe60317e3dfc37
                                  • Instruction Fuzzy Hash: B151F670D24249AECF12ABF4EC0DAFD7BB8AB15340F0441A7F861A22E2DB745655CB21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1037 1d4afe-1d4b5e call 1d77c7 GetVersionExW call 1d7d2c 1042 1d4c69-1d4c6b 1037->1042 1043 1d4b64 1037->1043 1044 20db90-20db9c 1042->1044 1045 1d4b67-1d4b6c 1043->1045 1046 20db9d-20dba1 1044->1046 1047 1d4c70-1d4c71 1045->1047 1048 1d4b72 1045->1048 1050 20dba3 1046->1050 1051 20dba4-20dbb0 1046->1051 1049 1d4b73-1d4baa call 1d7e8c call 1d7886 1047->1049 1048->1049 1059 20dc8d-20dc90 1049->1059 1060 1d4bb0-1d4bb1 1049->1060 1050->1051 1051->1046 1053 20dbb2-20dbb7 1051->1053 1053->1045 1055 20dbbd-20dbc4 1053->1055 1055->1044 1057 20dbc6 1055->1057 1061 20dbcb-20dbce 1057->1061 1062 20dc92 1059->1062 1063 20dca9-20dcad 1059->1063 1060->1061 1064 1d4bb7-1d4bc2 1060->1064 1065 20dbd4-20dbf2 1061->1065 1066 1d4bf1-1d4c08 GetCurrentProcess IsWow64Process 1061->1066 1067 20dc95 1062->1067 1071 20dc98-20dca1 1063->1071 1072 20dcaf-20dcb8 1063->1072 1068 20dc13-20dc19 1064->1068 1069 1d4bc8-1d4bca 1064->1069 1065->1066 1070 20dbf8-20dbfe 1065->1070 1073 1d4c0d-1d4c1e 1066->1073 1074 1d4c0a 1066->1074 1067->1071 1079 20dc23-20dc29 1068->1079 1080 20dc1b-20dc1e 1068->1080 1075 1d4bd0-1d4bd3 1069->1075 1076 20dc2e-20dc3a 1069->1076 1077 20dc00-20dc03 1070->1077 1078 20dc08-20dc0e 1070->1078 1071->1063 1072->1067 1081 20dcba-20dcbd 1072->1081 1082 1d4c89-1d4c93 GetSystemInfo 1073->1082 1083 1d4c20-1d4c30 call 1d4c95 1073->1083 1074->1073 1084 1d4bd9-1d4be8 1075->1084 1085 20dc5a-20dc5d 1075->1085 1087 20dc44-20dc4a 1076->1087 1088 20dc3c-20dc3f 1076->1088 1077->1066 1078->1066 1079->1066 1080->1066 1081->1071 1086 1d4c56-1d4c66 1082->1086 1096 1d4c7d-1d4c87 GetSystemInfo 1083->1096 1097 1d4c32-1d4c3f call 1d4c95 1083->1097 1091 1d4bee 1084->1091 1092 20dc4f-20dc55 1084->1092 1085->1066 1090 20dc63-20dc78 1085->1090 1087->1066 1088->1066 1094 20dc82-20dc88 1090->1094 1095 20dc7a-20dc7d 1090->1095 1091->1066 1092->1066 1094->1066 1095->1066 1099 1d4c47-1d4c4b 1096->1099 1102 1d4c76-1d4c7b 1097->1102 1103 1d4c41-1d4c45 GetNativeSystemInfo 1097->1103 1099->1086 1101 1d4c4d-1d4c50 FreeLibrary 1099->1101 1101->1086 1102->1103 1103->1099
                                  APIs
                                  • GetVersionExW.KERNEL32(?), ref: 001D4B2B
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                  • GetCurrentProcess.KERNEL32(?,0025FAEC,00000000,00000000,?), ref: 001D4BF8
                                  • IsWow64Process.KERNEL32(00000000), ref: 001D4BFF
                                  • GetNativeSystemInfo.KERNELBASE(00000000), ref: 001D4C45
                                  • FreeLibrary.KERNEL32(00000000), ref: 001D4C50
                                  • GetSystemInfo.KERNEL32(00000000), ref: 001D4C81
                                  • GetSystemInfo.KERNEL32(00000000), ref: 001D4C8D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                  • String ID:
                                  • API String ID: 1986165174-0
                                  • Opcode ID: 7291d9f6a44448d0c6f6fd9b1ee299605db1f07e6dc55b6a3628cdb0286e786f
                                  • Instruction ID: 7c62f5d60f8226e4f7173456b9cb3768efc8c5e554207418e41b08ee94a50ce9
                                  • Opcode Fuzzy Hash: 7291d9f6a44448d0c6f6fd9b1ee299605db1f07e6dc55b6a3628cdb0286e786f
                                  • Instruction Fuzzy Hash: 8E91B03155ABC0DBCB35DB6895551AABFE4AF3A300B48499FE0CA93B42D331A908C759
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1104 1d4fe9-1d5001 CreateStreamOnHGlobal 1105 1d5021-1d5026 1104->1105 1106 1d5003-1d501a FindResourceExW 1104->1106 1107 20dd5c-20dd6b LoadResource 1106->1107 1108 1d5020 1106->1108 1107->1108 1109 20dd71-20dd7f SizeofResource 1107->1109 1108->1105 1109->1108 1110 20dd85-20dd90 LockResource 1109->1110 1110->1108 1111 20dd96-20ddb4 1110->1111 1111->1108
                                  APIs
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001D4EEE,?,?,00000000,00000000), ref: 001D4FF9
                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001D4EEE,?,?,00000000,00000000), ref: 001D5010
                                  • LoadResource.KERNEL32(?,00000000,?,?,001D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,001D4F8F), ref: 0020DD60
                                  • SizeofResource.KERNEL32(?,00000000,?,?,001D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,001D4F8F), ref: 0020DD75
                                  • LockResource.KERNEL32(001D4EEE,?,?,001D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,001D4F8F,00000000), ref: 0020DD88
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                  • String ID: SCRIPT
                                  • API String ID: 3051347437-3967369404
                                  • Opcode ID: 1b57262bd9f9a7f4aa16d2884d3370c5b1212533903241bb4e325620e93aa995
                                  • Instruction ID: 9cf6423ac24a939917eeced75ce9d6c3554f877f0df70611896509353e5c11bf
                                  • Opcode Fuzzy Hash: 1b57262bd9f9a7f4aa16d2884d3370c5b1212533903241bb4e325620e93aa995
                                  • Instruction Fuzzy Hash: 131170B5200701BFD7218B65ED98F677BBAEBC9B52F20816DF805C62A0DB71EC008665
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001DFE40 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BuffCharUpper
                                  • String ID: pr)$%&
                                  • API String ID: 3964851224-640306274
                                  • Opcode ID: 865c9c0f3af79028b00a504819aeb97fd12acd3dbc4f80c7718b2f38509752b9
                                  • Instruction ID: d4a02a6994305fc60023b84d7eb8446bba1482132c60d4855a0b28e5fa1c3016
                                  • Opcode Fuzzy Hash: 865c9c0f3af79028b00a504819aeb97fd12acd3dbc4f80c7718b2f38509752b9
                                  • Instruction Fuzzy Hash: AD928874A087818FD725DF15C480B6AB7E1BF98304F15896DF88A8B352D7B1EC85CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001DE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Dt)$Dt)$Dt)$Dt)$Variable must be of type 'Object'.
                                  • API String ID: 0-2932729816
                                  • Opcode ID: a28382550a1960c7f4bd7885a5b87c72e5701253b43ab458f19326e48c625ccf
                                  • Instruction ID: 00313e529549a927e88700bbd2fbac0cfdf8e8a7edc5cc484b37bfd06a642533
                                  • Opcode Fuzzy Hash: a28382550a1960c7f4bd7885a5b87c72e5701253b43ab458f19326e48c625ccf
                                  • Instruction Fuzzy Hash: B4A27C74A04215DFCB24EF58C480AADB7F2FF58305F65806AE90AAB351D735ED82CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00234696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?,0020E7C1), ref: 002346A6
                                  • FindFirstFileW.KERNELBASE(?,?), ref: 002346B7
                                  • FindClose.KERNEL32(00000000), ref: 002346C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FileFind$AttributesCloseFirst
                                  • String ID:
                                  • API String ID: 48322524-0
                                  • Opcode ID: 58d64a4089f2f7fe4197c3fad3b4d67c56d2b33c875bcecdf17014e9f57a5862
                                  • Instruction ID: 9eeb464e34552647dcf02a35295fba2a6830a0ded4d0928cb5edc39e4c70d099
                                  • Opcode Fuzzy Hash: 58d64a4089f2f7fe4197c3fad3b4d67c56d2b33c875bcecdf17014e9f57a5862
                                  • Instruction Fuzzy Hash: C6E0D8714205016B52107B38FC4E4EA775C9E07336F100756F935C24F0E7B06D60899A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001E0BBB
                                  • timeGetTime.WINMM ref: 001E0E76
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001E0FB3
                                  • TranslateMessage.USER32(?), ref: 001E0FC7
                                  • DispatchMessageW.USER32(?), ref: 001E0FD5
                                  • Sleep.KERNEL32(0000000A), ref: 001E0FDF
                                  • LockWindowUpdate.USER32(00000000,?,?), ref: 001E105A
                                  • DestroyWindow.USER32 ref: 001E1066
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001E1080
                                  • Sleep.KERNEL32(0000000A,?,?), ref: 002152AD
                                  • TranslateMessage.USER32(?), ref: 0021608A
                                  • DispatchMessageW.USER32(?), ref: 00216098
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002160AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                  • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr)$pr)$pr)$pr)
                                  • API String ID: 4003667617-564259358
                                  • Opcode ID: 0cbf84bc331d3da635bd379cc30a7abf7de40df0d3fa22431a5743d6c0262cbf
                                  • Instruction ID: 9bd76c2a5dee96bc53351454e309bf03b9f1aeab3583ef080aec469a8c061066
                                  • Opcode Fuzzy Hash: 0cbf84bc331d3da635bd379cc30a7abf7de40df0d3fa22431a5743d6c0262cbf
                                  • Instruction Fuzzy Hash: 56B2D370618B91DFD729DF24C884BAEB7E5BF94304F14495EF48A87291DB70E894CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002393DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 002391E9: __time64.LIBCMT ref: 002391F3
                                    • Part of subcall function 001D5045: _fseek.LIBCMT ref: 001D505D
                                  • __wsplitpath.LIBCMT ref: 002394BE
                                    • Part of subcall function 001F432E: __wsplitpath_helper.LIBCMT ref: 001F436E
                                  • _wcscpy.LIBCMT ref: 002394D1
                                  • _wcscat.LIBCMT ref: 002394E4
                                  • __wsplitpath.LIBCMT ref: 00239509
                                  • _wcscat.LIBCMT ref: 0023951F
                                  • _wcscat.LIBCMT ref: 00239532
                                    • Part of subcall function 0023922F: _memmove.LIBCMT ref: 00239268
                                    • Part of subcall function 0023922F: _memmove.LIBCMT ref: 00239277
                                  • _wcscmp.LIBCMT ref: 00239479
                                    • Part of subcall function 002399BE: _wcscmp.LIBCMT ref: 00239AAE
                                    • Part of subcall function 002399BE: _wcscmp.LIBCMT ref: 00239AC1
                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002396DC
                                  • _wcsncpy.LIBCMT ref: 0023974F
                                  • DeleteFileW.KERNEL32(?,?), ref: 00239785
                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0023979B
                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002397AC
                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002397BE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                  • String ID:
                                  • API String ID: 1500180987-0
                                  • Opcode ID: 3ce63b81be618e8b9b801c1bac8b29ab9bd93806d69ea52b8b681270c3d5b09b
                                  • Instruction ID: 2da314bb1323fcbe81a7f8d6c545580c0cd73ec3ffa42241e2b76a7c9fbc6f38
                                  • Opcode Fuzzy Hash: 3ce63b81be618e8b9b801c1bac8b29ab9bd93806d69ea52b8b681270c3d5b09b
                                  • Instruction Fuzzy Hash: B2C13AF1D10219ABCF21DF94CC85EEEB7BDAF55300F0040AAF609E6251DB709A948F65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 001D3074
                                  • RegisterClassExW.USER32(00000030), ref: 001D309E
                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001D30AF
                                  • InitCommonControlsEx.COMCTL32(?), ref: 001D30CC
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001D30DC
                                  • LoadIconW.USER32(000000A9), ref: 001D30F2
                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001D3101
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                  • API String ID: 2914291525-1005189915
                                  • Opcode ID: 83edd2e6a61fa045b52b8f9e8008a2a7ad96d9dcc6a7eb129161d0cd743be292
                                  • Instruction ID: d22f30e313ad3e8e4787a8f93a4bf0e079258b8296a2557eb2827e30db526488
                                  • Opcode Fuzzy Hash: 83edd2e6a61fa045b52b8f9e8008a2a7ad96d9dcc6a7eb129161d0cd743be292
                                  • Instruction Fuzzy Hash: 193145B1854309AFDB41CFA4E98CBC9BFF0FB09321F14456AE590A62A0E3B94589CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 001D3074
                                  • RegisterClassExW.USER32(00000030), ref: 001D309E
                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001D30AF
                                  • InitCommonControlsEx.COMCTL32(?), ref: 001D30CC
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001D30DC
                                  • LoadIconW.USER32(000000A9), ref: 001D30F2
                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001D3101
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                  • API String ID: 2914291525-1005189915
                                  • Opcode ID: 29806c123854d4e129b74937c4f703d37bb7cdfcc9514dd9bd572c1fc4fb9fde
                                  • Instruction ID: a52d9811bde110aedd7e3eabb23cb80f5d1fadd213ad2d52e83667f88542550e
                                  • Opcode Fuzzy Hash: 29806c123854d4e129b74937c4f703d37bb7cdfcc9514dd9bd572c1fc4fb9fde
                                  • Instruction Fuzzy Hash: B321BFB1951318AFDB40DFA4FA8DADEBBF4FB08711F10412AF910A62A0D7B545488F99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 001D4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002962F8,?,001D37C0,?), ref: 001D4882
                                    • Part of subcall function 001F074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,001D72C5), ref: 001F0771
                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001D7308
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0020ECF1
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0020ED32
                                  • RegCloseKey.ADVAPI32(?), ref: 0020ED70
                                  • _wcscat.LIBCMT ref: 0020EDC9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                  • API String ID: 2673923337-2727554177
                                  • Opcode ID: c5d54db81a760f4da7837121d0a674003db0c28bfb24fa55e168f3e13b04eefc
                                  • Instruction ID: 3804e4abff642f31c2dc49c7a19d383fe3b78ebdd91b3a8c0d1b6532d678b54c
                                  • Opcode Fuzzy Hash: c5d54db81a760f4da7837121d0a674003db0c28bfb24fa55e168f3e13b04eefc
                                  • Instruction Fuzzy Hash: 5D7170718383059EC714EF65EC859ABBBE8FF59350F44492FF845832A1EB309948CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 760 1d3633-1d3681 762 1d36e1-1d36e3 760->762 763 1d3683-1d3686 760->763 762->763 766 1d36e5 762->766 764 1d3688-1d368f 763->764 765 1d36e7 763->765 767 1d375d-1d3765 PostQuitMessage 764->767 768 1d3695-1d369a 764->768 770 1d36ed-1d36f0 765->770 771 20d31c-20d34a call 1e11d0 call 1e11f3 765->771 769 1d36ca-1d36d2 DefWindowProcW 766->769 778 1d3711-1d3713 767->778 774 1d36a0-1d36a2 768->774 775 20d38f-20d3a3 call 232a16 768->775 777 1d36d8-1d36de 769->777 772 1d3715-1d373c SetTimer RegisterWindowMessageW 770->772 773 1d36f2-1d36f3 770->773 808 20d34f-20d356 771->808 772->778 781 1d373e-1d3749 CreatePopupMenu I_RpcFreeBuffer 772->781 779 1d36f9-1d370c KillTimer call 1d44cb call 1d3114 773->779 780 20d2bf-20d2c2 773->780 782 1d36a8-1d36ad 774->782 783 1d3767-1d3776 call 1d4531 774->783 775->778 801 20d3a9 775->801 778->777 779->778 786 20d2c4-20d2c6 780->786 787 20d2f8-20d317 MoveWindow 780->787 789 1d374b-1d375b call 1d45df 781->789 790 20d374-20d37b 782->790 791 1d36b3-1d36b8 782->791 783->778 795 20d2e7-20d2f3 SetFocus 786->795 796 20d2c8-20d2cb 786->796 787->778 789->778 790->769 798 20d381-20d38a call 22817e 790->798 791->789 800 1d36be-1d36c4 791->800 795->778 796->800 804 20d2d1-20d2e2 call 1e11d0 796->804 798->769 800->769 800->808 801->769 804->778 808->769 811 20d35c-20d36f call 1d44cb call 1d43db 808->811 811->769
                                  APIs
                                  • DefWindowProcW.USER32(?,?,?,?), ref: 001D36D2
                                  • KillTimer.USER32(?,00000001), ref: 001D36FC
                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001D371F
                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001D372A
                                  • CreatePopupMenu.USER32 ref: 001D373E
                                  • PostQuitMessage.USER32(00000000), ref: 001D375F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                  • String ID: TaskbarCreated$%&
                                  • API String ID: 129472671-2586949835
                                  • Opcode ID: 662174f6395377df0798ce16cb4baa77d0caf78b17f38b1662ad915025942b78
                                  • Instruction ID: 6bf87868bc99266f94c7b121407a4058687063e193b12b601d538d0e1bd4265d
                                  • Opcode Fuzzy Hash: 662174f6395377df0798ce16cb4baa77d0caf78b17f38b1662ad915025942b78
                                  • Instruction Fuzzy Hash: FF4125B1620605BBDF185F68FC0DB793B99EB14300F04022BF912863E2CB70EE649667
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 001D3A62
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 001D3A71
                                  • LoadIconW.USER32(00000063), ref: 001D3A88
                                  • LoadIconW.USER32(000000A4), ref: 001D3A9A
                                  • LoadIconW.USER32(000000A2), ref: 001D3AAC
                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001D3AD2
                                  • RegisterClassExW.USER32(?), ref: 001D3B28
                                    • Part of subcall function 001D3041: GetSysColorBrush.USER32(0000000F), ref: 001D3074
                                    • Part of subcall function 001D3041: RegisterClassExW.USER32(00000030), ref: 001D309E
                                    • Part of subcall function 001D3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001D30AF
                                    • Part of subcall function 001D3041: InitCommonControlsEx.COMCTL32(?), ref: 001D30CC
                                    • Part of subcall function 001D3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001D30DC
                                    • Part of subcall function 001D3041: LoadIconW.USER32(000000A9), ref: 001D30F2
                                    • Part of subcall function 001D3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001D3101
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                  • String ID: #$0$AutoIt v3
                                  • API String ID: 423443420-4155596026
                                  • Opcode ID: 6114ccf78489c642da67015b0e102c0e4a9abf5a65240df5166308a986beed27
                                  • Instruction ID: 8483e704c3593ab62464a73705490f625fdd07ccb5902801df52bda6be13a258
                                  • Opcode Fuzzy Hash: 6114ccf78489c642da67015b0e102c0e4a9abf5a65240df5166308a986beed27
                                  • Instruction Fuzzy Hash: 9D211571E10308AFEB109FA4FD4DB9DBBF5FB08711F00416AEA04A62A0D3BA56549F94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b)
                                  • API String ID: 1825951767-136876307
                                  • Opcode ID: dffa704ef313b9cd2e00dca3c3fa3f2e735de2a88bffde25c36768d7ec142b31
                                  • Instruction ID: eefab9a0b7afa8d59ba840299da2dda91bfd0f5c65f7f421fab64070cc59923d
                                  • Opcode Fuzzy Hash: dffa704ef313b9cd2e00dca3c3fa3f2e735de2a88bffde25c36768d7ec142b31
                                  • Instruction Fuzzy Hash: BDA12E72D1022D9ACF05EFA4DC95AEEB7B8BF24340F44052BF416B7291EB745A09CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001DF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 001F03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001F03D3
                                    • Part of subcall function 001F03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 001F03DB
                                    • Part of subcall function 001F03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001F03E6
                                    • Part of subcall function 001F03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001F03F1
                                    • Part of subcall function 001F03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 001F03F9
                                    • Part of subcall function 001F03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 001F0401
                                    • Part of subcall function 001E6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,001DFA90), ref: 001E62B4
                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001DFB2D
                                  • OleInitialize.OLE32(00000000), ref: 001DFBAA
                                  • CloseHandle.KERNEL32(00000000), ref: 002149F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                  • String ID: <g)$\d)$%&$c)
                                  • API String ID: 1986988660-697597859
                                  • Opcode ID: 3467b9f996eaa5fae7b821674692b614bf244cbda470f154557e3d404ee5614a
                                  • Instruction ID: 1976b64afa79c78e7b87fb377f0758bce224d09acdfe348cdf80d7f8949b3321
                                  • Opcode Fuzzy Hash: 3467b9f996eaa5fae7b821674692b614bf244cbda470f154557e3d404ee5614a
                                  • Instruction Fuzzy Hash: 0481C8B09142808EC7A4EFBAF99C659BBE4FBA8708710A17FD019C7362EB314414CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01982740 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 983 1982740-19827ee call 1980000 986 19827f5-198281b call 1983650 CreateFileW 983->986 989 198281d 986->989 990 1982822-1982832 986->990 991 198296d-1982971 989->991 995 1982839-1982853 VirtualAlloc 990->995 996 1982834 990->996 993 19829b3-19829b6 991->993 994 1982973-1982977 991->994 997 19829b9-19829c0 993->997 998 1982979-198297c 994->998 999 1982983-1982987 994->999 1000 198285a-1982871 ReadFile 995->1000 1001 1982855 995->1001 996->991 1002 19829c2-19829cd 997->1002 1003 1982a15-1982a2a 997->1003 998->999 1004 1982989-1982993 999->1004 1005 1982997-198299b 999->1005 1010 1982878-19828b8 VirtualAlloc 1000->1010 1011 1982873 1000->1011 1001->991 1012 19829cf 1002->1012 1013 19829d1-19829dd 1002->1013 1006 1982a3a-1982a42 1003->1006 1007 1982a2c-1982a37 VirtualFree 1003->1007 1004->1005 1008 19829ab 1005->1008 1009 198299d-19829a7 1005->1009 1007->1006 1008->993 1009->1008 1014 19828ba 1010->1014 1015 19828bf-19828da call 19838a0 1010->1015 1011->991 1012->1003 1016 19829df-19829ef 1013->1016 1017 19829f1-19829fd 1013->1017 1014->991 1023 19828e5-19828ef 1015->1023 1019 1982a13 1016->1019 1020 1982a0a-1982a10 1017->1020 1021 19829ff-1982a08 1017->1021 1019->997 1020->1019 1021->1019 1024 19828f1-1982920 call 19838a0 1023->1024 1025 1982922-1982936 call 19836b0 1023->1025 1024->1023 1031 1982938 1025->1031 1032 198293a-198293e 1025->1032 1031->991 1033 198294a-198294e 1032->1033 1034 1982940-1982944 FindCloseChangeNotification 1032->1034 1035 198295e-1982967 1033->1035 1036 1982950-198295b VirtualFree 1033->1036 1034->1033 1035->986 1035->991 1036->1035
                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01982811
                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01982A37
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1241289123.0000000001980000.00000040.00001000.00020000.00000000.sdmp, Offset: 01980000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1980000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CreateFileFreeVirtual
                                  • String ID:
                                  • API String ID: 204039940-0
                                  • Opcode ID: 77d988955e9428cd63ddf90fc844310d7d68253a3e2a0e9305b7301c98709747
                                  • Instruction ID: 0fdae1cd5060e21a976f1163cbdba4be702ce70a582611f4d712093344392080
                                  • Opcode Fuzzy Hash: 77d988955e9428cd63ddf90fc844310d7d68253a3e2a0e9305b7301c98709747
                                  • Instruction Fuzzy Hash: CCA12870E00209EBDB14DFA4C994BEEBBB5FF48305F208559E219BB280C7759A41CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1114 1d39e7-1d3a57 CreateWindowExW * 2 ShowWindow * 2
                                  APIs
                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001D3A15
                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001D3A36
                                  • ShowWindow.USER32(00000000,?,?), ref: 001D3A4A
                                  • ShowWindow.USER32(00000000,?,?), ref: 001D3A53
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$CreateShow
                                  • String ID: AutoIt v3$edit
                                  • API String ID: 1584632944-3779509399
                                  • Opcode ID: 66a9c0f889001c1bbcc4832a51b42457c1dc32834868e4c77fe922b7261d4cd8
                                  • Instruction ID: aef3272d9a7152543379583943deec89e0bb457e5ad986b74e7ff334359945f1
                                  • Opcode Fuzzy Hash: 66a9c0f889001c1bbcc4832a51b42457c1dc32834868e4c77fe922b7261d4cd8
                                  • Instruction Fuzzy Hash: 71F0DA71A412907EEA7117277C4DE676EBDD7CAF51F00412ABD04A21B0C6B61851DAB4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019824E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159filememoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1467 19824e0-19825bb call 1980000 call 1982390 1472 19825bd-19825c5 1467->1472 1473 19825d0 1467->1473 1472->1473 1476 19825c7-19825ce call 1982360 1472->1476 1474 19825d8-198263f call 1982300 CreateFileW 1473->1474 1483 1982641 1474->1483 1484 1982646-1982656 1474->1484 1476->1473 1476->1474 1485 19826f6-19826fb 1483->1485 1487 1982658 1484->1487 1488 198265d-1982677 VirtualAlloc 1484->1488 1487->1485 1489 1982679 1488->1489 1490 198267b-1982692 ReadFile 1488->1490 1489->1485 1491 1982694 1490->1491 1492 1982696-19826d0 call 1982410 call 1981300 1490->1492 1491->1485 1497 19826ec-19826f4 ExitProcess 1492->1497 1498 19826d2-19826e7 call 1982460 1492->1498 1497->1485 1498->1497
                                  APIs
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01982635
                                  • VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 0198266A
                                  • ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 0198268D
                                  • ExitProcess.KERNEL32(00000000), ref: 019826EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1241289123.0000000001980000.00000040.00001000.00020000.00000000.sdmp, Offset: 01980000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1980000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: File$AllocCreateExitProcessReadVirtual
                                  • String ID: FVH1IM7FEIG7K7IAB
                                  • API String ID: 1333605300-3959371335
                                  • Opcode ID: addf1d9e20cb3ee7326be7c92996204c05a2f5d295621067f7f82302e001bda0
                                  • Instruction ID: 35e4c83a791053abdf29e42030b9db52768e4e58a69fc4f6d73e1e610f38872b
                                  • Opcode Fuzzy Hash: addf1d9e20cb3ee7326be7c92996204c05a2f5d295621067f7f82302e001bda0
                                  • Instruction Fuzzy Hash: D851A371D04249DBEF11EBB4C819BEEBBB8AF54304F004199E609BB2C1DBB94B44CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1500 1d410d-1d4123 1501 1d4129-1d413e call 1d7b76 1500->1501 1502 1d4200-1d4204 1500->1502 1505 1d4144-1d4164 call 1d7d2c 1501->1505 1506 20d5dd-20d5ec LoadStringW 1501->1506 1509 20d5f7-20d60f call 1d7c8e call 1d7143 1505->1509 1511 1d416a-1d416e 1505->1511 1506->1509 1518 1d417e-1d41fb call 1f3020 call 1d463e call 1f2ffc Shell_NotifyIconW call 1d5a64 1509->1518 1522 20d615-20d633 call 1d7e0b call 1d7143 call 1d7e0b 1509->1522 1513 1d4205-1d420e call 1d81a7 1511->1513 1514 1d4174-1d4179 call 1d7c8e 1511->1514 1513->1518 1514->1518 1518->1502 1522->1518
                                  APIs
                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0020D5EC
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                  • _memset.LIBCMT ref: 001D418D
                                  • _wcscpy.LIBCMT ref: 001D41E1
                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001D41F1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                  • String ID: Line:
                                  • API String ID: 3942752672-1585850449
                                  • Opcode ID: a95800f0bc795e0f9d251f82da710b605b4cdc1a4034d0284815cb09e3b4d35e
                                  • Instruction ID: 81316d8a3a3a3115783aecce9db65405b897d7b6c825f7b9ae042134f7f09236
                                  • Opcode Fuzzy Hash: a95800f0bc795e0f9d251f82da710b605b4cdc1a4034d0284815cb09e3b4d35e
                                  • Instruction Fuzzy Hash: 2731DF71408315ABD721EB60EC4AFEB77ECAF64300F10461FF585922E1EB74A648C792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                  • String ID:
                                  • API String ID: 1559183368-0
                                  • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                  • Instruction ID: f5db024717090bceaedd0223919d95871ab7ac5007771df92166deaf0b0ba57d
                                  • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                  • Instruction Fuzzy Hash: 3251B170A00B0DDBDB289FA9C88467E77A3AF50330FA48729FB35962D1DB709D518B50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001D4F6F
                                  • _free.LIBCMT ref: 0020E68C
                                  • _free.LIBCMT ref: 0020E6D3
                                    • Part of subcall function 001D6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 001D6D0D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _free$CurrentDirectoryLibraryLoad
                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                  • API String ID: 2861923089-1757145024
                                  • Opcode ID: 69843e2f374719c78d857116ddf895f5076df725c242ffedae498c0f664dc1ac
                                  • Instruction ID: ab33103f012553cf3f2cac9594cdf1c97352db4086d0cd82610d58426ed4cb37
                                  • Opcode Fuzzy Hash: 69843e2f374719c78d857116ddf895f5076df725c242ffedae498c0f664dc1ac
                                  • Instruction Fuzzy Hash: E5917F71920219EFCF04EFA4CC919EDB7B8FF29314F15486AF815AB292EB319954CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,001D35A1,SwapMouseButtons,00000004,?), ref: 001D35D4
                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,001D35A1,SwapMouseButtons,00000004,?,?,?,?,001D2754), ref: 001D35F5
                                  • RegCloseKey.KERNELBASE(00000000,?,?,001D35A1,SwapMouseButtons,00000004,?,?,?,?,001D2754), ref: 001D3617
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: Control Panel\Mouse
                                  • API String ID: 3677997916-824357125
                                  • Opcode ID: 6aef3115db668735a183475639bacce775b8f2542eb98467b4e1897e2e31c3f1
                                  • Instruction ID: db2aa77c3d80f479a334a427dbfeaaf901ff2382a63eb4f23f0c0f08189401b4
                                  • Opcode Fuzzy Hash: 6aef3115db668735a183475639bacce775b8f2542eb98467b4e1897e2e31c3f1
                                  • Instruction Fuzzy Hash: 40110375611218BADB208F64EC84EAABBA8EF04740F11856AA815D7210E771DF509BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01981300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 01981B2D
                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01981B51
                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01981B73
                                  • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01981E7C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1241289123.0000000001980000.00000040.00001000.00020000.00000000.sdmp, Offset: 01980000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1980000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                  • String ID:
                                  • API String ID: 572931308-0
                                  • Opcode ID: 1c254958347add653d1264a8456c45aadd074b05e9bafd5c07668000067c6523
                                  • Instruction ID: 70cdd052add0e21d1482bbff2cd5442740f0b227249bb177358f037f54e1518b
                                  • Opcode Fuzzy Hash: 1c254958347add653d1264a8456c45aadd074b05e9bafd5c07668000067c6523
                                  • Instruction Fuzzy Hash: 8D621A30A14258DBEB24DFA4C840BDEB376EF58300F1095A9D20DEB395E7799E81CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002397E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D5045: _fseek.LIBCMT ref: 001D505D
                                    • Part of subcall function 002399BE: _wcscmp.LIBCMT ref: 00239AAE
                                    • Part of subcall function 002399BE: _wcscmp.LIBCMT ref: 00239AC1
                                  • _free.LIBCMT ref: 0023992C
                                  • _free.LIBCMT ref: 00239933
                                  • _free.LIBCMT ref: 0023999E
                                    • Part of subcall function 001F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,001F9C64), ref: 001F2FA9
                                    • Part of subcall function 001F2F95: GetLastError.KERNEL32(00000000,?,001F9C64), ref: 001F2FBB
                                  • _free.LIBCMT ref: 002399A6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                  • String ID:
                                  • API String ID: 1552873950-0
                                  • Opcode ID: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
                                  • Instruction ID: af66e9f3e3c467e62e80a772fca28a38d007c1dd082b497c28ef71bd2bba9f8c
                                  • Opcode Fuzzy Hash: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
                                  • Instruction Fuzzy Hash: C5516FF1914218AFDF249F64CC41AAEBB7AEF48300F1004AEF609A7341DB715A90CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                  • String ID:
                                  • API String ID: 2782032738-0
                                  • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                  • Instruction ID: f25fd6a57a709cb8a13a0bbaa3f8eac0af55bcf04d1f592aa4d1912e56421007
                                  • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                  • Instruction Fuzzy Hash: AE41D57070060E9BDF28CEA9C8909BF77A6EF84364B24813DEA56C7650DBB0DD40CB44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: AU3!P/&$EA06
                                  • API String ID: 4104443479-2344475267
                                  • Opcode ID: e4f6e4a70f1a4652cba40b1118ae19a9e00046301c474f2e4d4a48bd15a7bb46
                                  • Instruction ID: 4faaf17e536c61de25a298cb9cfc1bf5141ff2d2d74067ab80798a8ec8b7f94e
                                  • Opcode Fuzzy Hash: e4f6e4a70f1a4652cba40b1118ae19a9e00046301c474f2e4d4a48bd15a7bb46
                                  • Instruction Fuzzy Hash: 8D418B32A042587BDF259F6488917BE7FA6AF55300F694077F882DB382C7398D8087E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0020EE62
                                  • GetOpenFileNameW.COMDLG32(?), ref: 0020EEAC
                                    • Part of subcall function 001D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001D48A1,?,?,001D37C0,?), ref: 001D48CE
                                    • Part of subcall function 001F09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001F09F4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Name$Path$FileFullLongOpen_memset
                                  • String ID: X
                                  • API String ID: 3777226403-3081909835
                                  • Opcode ID: bf6c6459da05ba443e1a1202cb135f5cb1f7beec8cc034d0978c1a6360083b6d
                                  • Instruction ID: f82d17c3ad39182fee5a1db8a2e235b690bade6c7eab0925cd36bc95084d895b
                                  • Opcode Fuzzy Hash: bf6c6459da05ba443e1a1202cb135f5cb1f7beec8cc034d0978c1a6360083b6d
                                  • Instruction Fuzzy Hash: EF21C370A1025C9BCF05DF94C845BEE7BF89F59314F04401AE508E7382EBB45999CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __fread_nolock_memmove
                                  • String ID: EA06
                                  • API String ID: 1988441806-3962188686
                                  • Opcode ID: f0a42c6820d8b33998cba1cbd1f0b15447eb3f5b7de751cd1b1ce79f9fb615c0
                                  • Instruction ID: f87b56ffaa154b08d3d03f844be3e0ed88e4ab7c0ddb5b1faddd4a1dedee4b13
                                  • Opcode Fuzzy Hash: f0a42c6820d8b33998cba1cbd1f0b15447eb3f5b7de751cd1b1ce79f9fb615c0
                                  • Instruction Fuzzy Hash: EE01F971914218BEDB28CAA8C816EFE7BF89B11311F00419AF652D2181E5B5A6148B60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00239B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00239B82
                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00239B99
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Temp$FileNamePath
                                  • String ID: aut
                                  • API String ID: 3285503233-3010740371
                                  • Opcode ID: 4aa726aa377ccd2cd0b85f144dbb707dcab65089e6b5520afbef8f4eac928c80
                                  • Instruction ID: e35086469170b0664ca429434dcfebe8feba26be5e8f6552783583d8fff5b9c8
                                  • Opcode Fuzzy Hash: 4aa726aa377ccd2cd0b85f144dbb707dcab65089e6b5520afbef8f4eac928c80
                                  • Instruction Fuzzy Hash: 25D05EB954030DABDB50AB90EC0EF9A772CE704701F0042A1BE54D60A1DEB059A88B96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 94efabf1fdd68698fa0e3a79597d0c0ab3ca9f60b517daed0f74ea40e0cb1f3a
                                  • Instruction ID: 614623fb5abcc94826e2d33948b895edd04cee3c00f0bc68a7754b9aba638b66
                                  • Opcode Fuzzy Hash: 94efabf1fdd68698fa0e3a79597d0c0ab3ca9f60b517daed0f74ea40e0cb1f3a
                                  • Instruction Fuzzy Hash: 26F18B716183019FC714DF28C480A6ABBE5FF88314F14892EF8999B352D771E945CF82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 001D4401
                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 001D44A6
                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 001D44C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_$_memset
                                  • String ID:
                                  • API String ID: 1505330794-0
                                  • Opcode ID: 38b834c135e77c7f08dbc8cf008a76a5e604ad64dacaa505509fefed6704c024
                                  • Instruction ID: 7b68bb39b04f7c6e761c91cb67d75c5938369eb47c163a318c849a3f7c7d935e
                                  • Opcode Fuzzy Hash: 38b834c135e77c7f08dbc8cf008a76a5e604ad64dacaa505509fefed6704c024
                                  • Instruction Fuzzy Hash: 59316FB09057018FD760DF24E88879BBBE8FB48304F00092FF99A83391D775A984CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __FF_MSGBANNER.LIBCMT ref: 001F5963
                                    • Part of subcall function 001FA3AB: __NMSG_WRITE.LIBCMT ref: 001FA3D2
                                    • Part of subcall function 001FA3AB: __NMSG_WRITE.LIBCMT ref: 001FA3DC
                                  • __NMSG_WRITE.LIBCMT ref: 001F596A
                                    • Part of subcall function 001FA408: GetModuleFileNameW.KERNEL32(00000000,002943BA,00000104,?,00000001,00000000), ref: 001FA49A
                                    • Part of subcall function 001FA408: ___crtMessageBoxW.LIBCMT ref: 001FA548
                                    • Part of subcall function 001F32DF: ___crtCorExitProcess.LIBCMT ref: 001F32E5
                                    • Part of subcall function 001F32DF: ExitProcess.KERNEL32 ref: 001F32EE
                                    • Part of subcall function 001F8D68: __getptd_noexit.LIBCMT ref: 001F8D68
                                  • RtlAllocateHeap.NTDLL(010A0000,00000000,00000001,00000000,?,?,?,001F1013,?), ref: 001F598F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                  • String ID:
                                  • API String ID: 1372826849-0
                                  • Opcode ID: 43be407d894b747d6fdd21a92ccabe0a3b43d504ae89a38f8f7be85a94cf08fb
                                  • Instruction ID: 2c0d9a39f85dfc7e113c0643c2998cd4c47b102e9b7b069bc14e3cfc69a4daef
                                  • Opcode Fuzzy Hash: 43be407d894b747d6fdd21a92ccabe0a3b43d504ae89a38f8f7be85a94cf08fb
                                  • Instruction Fuzzy Hash: 7201D231300B1EEEE7297B64E856A3E738AAFA1739F51002AF7049A1D1DBB09D018260
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00239B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002397D2,?,?,?,?,?,00000004), ref: 00239B45
                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002397D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00239B5B
                                  • CloseHandle.KERNEL32(00000000,?,002397D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00239B62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: File$CloseCreateHandleTime
                                  • String ID:
                                  • API String ID: 3397143404-0
                                  • Opcode ID: 976e6b1ac9812f72c1fb1751d0d257ccec84a1de319a1e1d305363718ba83083
                                  • Instruction ID: 9b04040c405113543b76e37c2c1ce187ac5e8f94d4647fe5e6683d63e826b984
                                  • Opcode Fuzzy Hash: 976e6b1ac9812f72c1fb1751d0d257ccec84a1de319a1e1d305363718ba83083
                                  • Instruction Fuzzy Hash: 96E08632181714B7E7212F54FC0DFCA7B19AB05766F108120FB14A90E087B12921979C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00238F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00238FA5
                                    • Part of subcall function 001F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,001F9C64), ref: 001F2FA9
                                    • Part of subcall function 001F2F95: GetLastError.KERNEL32(00000000,?,001F9C64), ref: 001F2FBB
                                  • _free.LIBCMT ref: 00238FB6
                                  • _free.LIBCMT ref: 00238FC8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
                                  • Instruction ID: 5e5174619cbd5b36cd9bea74902b79b1dc12a197cc0d50883409a46fa4cf1d27
                                  • Opcode Fuzzy Hash: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
                                  • Instruction Fuzzy Hash: 7EE012E17297064ACA24A978AD40AA367FE5F48350B58081DF60ADF542DF34E8518524
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001DAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: CALL
                                  • API String ID: 0-4196123274
                                  • Opcode ID: c4d31022ec6ea658b62295c0032b544062b70aa3941ad493cf339844a2d07bff
                                  • Instruction ID: baea6d2091ba0ce8d715bfe41ca4e2c8037f9aef6b688b4a0a5fa0d1360dc598
                                  • Opcode Fuzzy Hash: c4d31022ec6ea658b62295c0032b544062b70aa3941ad493cf339844a2d07bff
                                  • Instruction Fuzzy Hash: 11224874518251DFCB28DF14C494B6ABBF1BF98300F55895EE88A8B362D771ED81CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01982460 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 019824BA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1241289123.0000000001980000.00000040.00001000.00020000.00000000.sdmp, Offset: 01980000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1980000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID: D
                                  • API String ID: 963392458-2746444292
                                  • Opcode ID: 791969fb1361833500844451ba9b934c3fec09ab1158a1cac042ce22c13530ca
                                  • Instruction ID: 29a5d841f0bcb488160365f0f7badb0a8117effa3d4700b051908ac64da84178
                                  • Opcode Fuzzy Hash: 791969fb1361833500844451ba9b934c3fec09ab1158a1cac042ce22c13530ca
                                  • Instruction Fuzzy Hash: 4E01FB71900308ABDB20EBE4CC49FEE777CAB44B01F508549AA199A180EB78A648CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019812FD Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 01981B2D
                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01981B51
                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01981B73
                                  • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01981E7C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1241289123.0000000001980000.00000040.00001000.00020000.00000000.sdmp, Offset: 01980000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1980000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                  • String ID:
                                  • API String ID: 572931308-0
                                  • Opcode ID: 801aaf84b15b479f94a8232a97f4b0cd261659a5a12bf1cd9e336e66da0d4d36
                                  • Instruction ID: 8a0d1d106cdcae297bf582ae747e5cc3a47d6d4c7355a64f2f54d35aa8b45acd
                                  • Opcode Fuzzy Hash: 801aaf84b15b479f94a8232a97f4b0cd261659a5a12bf1cd9e336e66da0d4d36
                                  • Instruction Fuzzy Hash: E512ED24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsThemeActive.UXTHEME ref: 001D4992
                                    • Part of subcall function 001F35AC: __lock.LIBCMT ref: 001F35B2
                                    • Part of subcall function 001F35AC: DecodePointer.KERNEL32(00000001,?,001D49A7,002281BC), ref: 001F35BE
                                    • Part of subcall function 001F35AC: EncodePointer.KERNEL32(?,?,001D49A7,002281BC), ref: 001F35C9
                                    • Part of subcall function 001D4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 001D4A73
                                    • Part of subcall function 001D4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001D4A88
                                    • Part of subcall function 001D3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001D3B7A
                                    • Part of subcall function 001D3B4C: IsDebuggerPresent.KERNEL32 ref: 001D3B8C
                                    • Part of subcall function 001D3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,002962F8,002962E0,?,?), ref: 001D3BFD
                                    • Part of subcall function 001D3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 001D3C81
                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001D49D2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                  • String ID:
                                  • API String ID: 1438897964-0
                                  • Opcode ID: 5728652718638b3c12e99fdd02333ea018b729e5417a03b5fdd66a5c88ba85c8
                                  • Instruction ID: b035f7e4e02d672264548645e26435325271f05a2c6548ed8963fee0d922c35b
                                  • Opcode Fuzzy Hash: 5728652718638b3c12e99fdd02333ea018b729e5417a03b5fdd66a5c88ba85c8
                                  • Instruction Fuzzy Hash: 54119A729183219BC700EF29EC4991AFFF8EBA8710F00451FF455832B2DB709655CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,001D5981,?,?,?,?), ref: 001D5E27
                                  • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,001D5981,?,?,?,?), ref: 0020E19C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 37bcc52e3828823187551418a898a39f79529c01ee488da8a47d82d71305fb24
                                  • Instruction ID: 4158c0627c6a1b0620c83bb9fcc5d57003ec9117fe48596f3658d42b7c761e47
                                  • Opcode Fuzzy Hash: 37bcc52e3828823187551418a898a39f79529c01ee488da8a47d82d71305fb24
                                  • Instruction Fuzzy Hash: 1301B571244708BEF7241E24DC8AF66BB9DEB01768F10C319BAE95A2E1C7B01E458B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001F594C: __FF_MSGBANNER.LIBCMT ref: 001F5963
                                    • Part of subcall function 001F594C: __NMSG_WRITE.LIBCMT ref: 001F596A
                                    • Part of subcall function 001F594C: RtlAllocateHeap.NTDLL(010A0000,00000000,00000001,00000000,?,?,?,001F1013,?), ref: 001F598F
                                  • std::exception::exception.LIBCMT ref: 001F102C
                                  • __CxxThrowException@8.LIBCMT ref: 001F1041
                                    • Part of subcall function 001F87DB: RaiseException.KERNEL32(?,?,?,0028BAF8,00000000,?,?,?,?,001F1046,?,0028BAF8,?,00000001), ref: 001F8830
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                  • String ID:
                                  • API String ID: 3902256705-0
                                  • Opcode ID: b050d0355efca66506fe1b990faa3a6ab19446ef5e3434fc45926c26b30b7051
                                  • Instruction ID: 4e006239adde29e7da7e92790570066e959eb53b73597d331d15ef99d5e7b588
                                  • Opcode Fuzzy Hash: b050d0355efca66506fe1b990faa3a6ab19446ef5e3434fc45926c26b30b7051
                                  • Instruction Fuzzy Hash: 45F0283550020DF7CB25BA58EC059FF7BAC9F10350F200426FA04A2592DFB08AD482E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __lock_file_memset
                                  • String ID:
                                  • API String ID: 26237723-0
                                  • Opcode ID: f38bec52eb27485519c2c453998585a4bb1f158f029d433f3e93a763775e08b1
                                  • Instruction ID: 239a71ef0d4fa0eb414755bca7ae6479717f19e9f31f95f3dc75ec5af70c83be
                                  • Opcode Fuzzy Hash: f38bec52eb27485519c2c453998585a4bb1f158f029d433f3e93a763775e08b1
                                  • Instruction Fuzzy Hash: 15016771C01A0DEBCF12AF6ADC055BF7B62AF513A0F144215FB245B1A1DB31CA21DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001F8D68: __getptd_noexit.LIBCMT ref: 001F8D68
                                  • __lock_file.LIBCMT ref: 001F561B
                                    • Part of subcall function 001F6E4E: __lock.LIBCMT ref: 001F6E71
                                  • __fclose_nolock.LIBCMT ref: 001F5626
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                  • String ID:
                                  • API String ID: 2800547568-0
                                  • Opcode ID: 32a2c7f08b318c06454fe98b877f3b40bf76809d486c170c90411e73b1f99e41
                                  • Instruction ID: a19085e9f8d18b10fc41a4880868980a8c4e6569cd07f54fa2871894081ed2b7
                                  • Opcode Fuzzy Hash: 32a2c7f08b318c06454fe98b877f3b40bf76809d486c170c90411e73b1f99e41
                                  • Instruction Fuzzy Hash: D2F0B471901A0C9EDB21BF79880277E77A26F61734F558209A724EB1C2CF7C89029B55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001DF3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e6a0dd09c5fdcc17b24b3590796c52ed0f08f951117c3794b8185cb294e7e707
                                  • Instruction ID: e1edf1e3f3f8702cee9351330ed99f03da4f30f7a020a655f41a321caf9dc1be
                                  • Opcode Fuzzy Hash: e6a0dd09c5fdcc17b24b3590796c52ed0f08f951117c3794b8185cb294e7e707
                                  • Instruction Fuzzy Hash: F9617A7060020A9FDB14EF64D981ABAB7E5EF14300F15857EE90B9B381E771EE92CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e1d20d3f04e7148d0a91f855fb79118e80c2c752678dc800af09fe8711f69398
                                  • Instruction ID: 62e877f44e31b312aa7a3ce9b3acbfeb16fffb5796d54c2ab4be277c2175041d
                                  • Opcode Fuzzy Hash: e1d20d3f04e7148d0a91f855fb79118e80c2c752678dc800af09fe8711f69398
                                  • Instruction Fuzzy Hash: CE519F35600615AFCF14EF68C9A5EAE77E6AF55310F158169F906AB382CB30EE00CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 001D5CF6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 728906e201f97d2b5b5a70a896dd047415f2c071f2dc7fa90bea4ba32099c5d7
                                  • Instruction ID: ad92346ad20e597f652d02046ba81f99ef13bf3c8bb756e005ef5063beaa04e5
                                  • Opcode Fuzzy Hash: 728906e201f97d2b5b5a70a896dd047415f2c071f2dc7fa90bea4ba32099c5d7
                                  • Instruction Fuzzy Hash: 9C315E71A10B0AAFCB18DF6DC484A6DB7B6FF48310F15862AE81993714D771BDA0DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002100D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 6ddda2aa84f79cffdaec51f0fb4d8dd7332ba212c39820c8b6d9b32d3999de1a
                                  • Instruction ID: 4665960c270210686b1b373d1a6563edb29cc4da7ed43aceb21340867f592dd0
                                  • Opcode Fuzzy Hash: 6ddda2aa84f79cffdaec51f0fb4d8dd7332ba212c39820c8b6d9b32d3999de1a
                                  • Instruction Fuzzy Hash: 80414774508341DFDB24CF14C484B1ABBE0BF54318F1988ADE98A8B362C772EC85CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID:
                                  • API String ID: 4104443479-0
                                  • Opcode ID: 6bf83157bd2e093f3b8a76a008469c06d68c7c657eefe16dae0b868bee7839d0
                                  • Instruction ID: 51c278a2e846b5ee51b98fe1ac6d28b6dfb8b475afab7d4d56c07049e87153eb
                                  • Opcode Fuzzy Hash: 6bf83157bd2e093f3b8a76a008469c06d68c7c657eefe16dae0b868bee7839d0
                                  • Instruction Fuzzy Hash: FC21D570A20B08EBEF145F51F88966A7FBAFF20350F22886FE485D5552EB7194E0C745
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D4D13: FreeLibrary.KERNEL32(00000000,?), ref: 001D4D4D
                                    • Part of subcall function 001F548B: __wfsopen.LIBCMT ref: 001F5496
                                  • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001D4F6F
                                    • Part of subcall function 001D4CC8: FreeLibrary.KERNEL32(00000000), ref: 001D4D02
                                    • Part of subcall function 001D4DD0: _memmove.LIBCMT ref: 001D4E1A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Library$Free$Load__wfsopen_memmove
                                  • String ID:
                                  • API String ID: 1396898556-0
                                  • Opcode ID: f7e0400051f5e0cbd92aade3ea740426315b41ffa8ee713f1995fa243a6cc1f6
                                  • Instruction ID: 550e8b3588440b66b056082d4226d2bca8b30de95ca1be1daa321393949d9953
                                  • Opcode Fuzzy Hash: f7e0400051f5e0cbd92aade3ea740426315b41ffa8ee713f1995fa243a6cc1f6
                                  • Instruction Fuzzy Hash: CE110A32610709ABCB24FF74DC02F6E77A59F64701F10842AF941A63C2DF719A159B60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002101AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: efdbe1888dd886fab201559a8a05f0aa7a5a266329f2ffa2de170e579a88694d
                                  • Instruction ID: 8a473bb29329c6d1b607c8f5f58402027b9a88a37ef9bdffce5bc586fce5c2de
                                  • Opcode Fuzzy Hash: efdbe1888dd886fab201559a8a05f0aa7a5a266329f2ffa2de170e579a88694d
                                  • Instruction Fuzzy Hash: E12122B4508341DFCB24DF54C484A1ABBE0BF88304F058969F98A47721D771E899CB93
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,001D5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 001D5D76
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: fc92ad4c7a6606fab57a8ca3da645afc9d0745ce0df033e0e3224627eb7eeec0
                                  • Instruction ID: b91d833b4476a5cfd7e87d8275285932fc77a674f006ef5461f391873b3ec58c
                                  • Opcode Fuzzy Hash: fc92ad4c7a6606fab57a8ca3da645afc9d0745ce0df033e0e3224627eb7eeec0
                                  • Instruction Fuzzy Hash: 24113631200F059FE3308F55C888B62B7EAEF45764F10C92EE5AA86A50D7B0F945CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID:
                                  • API String ID: 4104443479-0
                                  • Opcode ID: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
                                  • Instruction ID: 6a65816461f871d348df6cc491318d7a874d2b793d073067a1453822347e8b55
                                  • Opcode Fuzzy Hash: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
                                  • Instruction Fuzzy Hash: 3701A2B9600546AFC305EB69D841D26FBAAFF9A314314825AF819C7742DB31EC21CBE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                  Download Yara Rule
                                  APIs
                                  • __lock_file.LIBCMT ref: 001F4AD6
                                    • Part of subcall function 001F8D68: __getptd_noexit.LIBCMT ref: 001F8D68
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __getptd_noexit__lock_file
                                  • String ID:
                                  • API String ID: 2597487223-0
                                  • Opcode ID: 17cd719d11675ddc4fc076857ecf7c209e767e87fbfd9bb92859ca8c9619325c
                                  • Instruction ID: 422f672f59ed162d5d61d9f414d875dc2752292e4d412b5507d3d3933b648225
                                  • Opcode Fuzzy Hash: 17cd719d11675ddc4fc076857ecf7c209e767e87fbfd9bb92859ca8c9619325c
                                  • Instruction Fuzzy Hash: B6F0AF31A4020DABDF61AF748C063BF36A5AF10329F048514BA24AB1D2DB78CA51DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • FreeLibrary.KERNEL32(?,?,002962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001D4FDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID:
                                  • API String ID: 3664257935-0
                                  • Opcode ID: 8da315098af87503ca9185dc8bce652acd8b02d0f437ed2cfb3ce02108207a12
                                  • Instruction ID: 9e357daba7fc184006c2d5bf9f303db7d671d092103cace9e7cd36afde6fbf8c
                                  • Opcode Fuzzy Hash: 8da315098af87503ca9185dc8bce652acd8b02d0f437ed2cfb3ce02108207a12
                                  • Instruction Fuzzy Hash: 51F03971505B12CFCB389F68E494822BBE1BF143293218A3FE6DA82720C731A840DF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001F09F4
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: LongNamePath_memmove
                                  • String ID:
                                  • API String ID: 2514874351-0
                                  • Opcode ID: 59b01468703dbe758effb66d91dd2676315e35cb2d3ae4797088f1200c27631e
                                  • Instruction ID: 8fe601333222600a9f6f5b629cbd4f6af69bc85b93b16c00019f0669e99fa8a0
                                  • Opcode Fuzzy Hash: 59b01468703dbe758effb66d91dd2676315e35cb2d3ae4797088f1200c27631e
                                  • Instruction Fuzzy Hash: AAE0CD7690432857C720E6989C05FFA77EDDF887A1F0401B6FC0CD7349EA709C918690
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00239129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                  • Instruction ID: 1c207b2e783e51811d31d9e2a1e1aaebf79929f1d4c84958bd6c0ae1fa100ece
                                  • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                  • Instruction Fuzzy Hash: FAE092B0114B015FDB348E24D8507E373E1AB16315F00081CF2DA93341EBA2B8818759
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0020E16B,?,?,00000000), ref: 001D5DBF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: f6116b32e3584c46f8d188a6b4506385c15c171a7493cc081346f340a8cf3d0b
                                  • Instruction ID: 90bfc150bd57bf19897c001c91429bd244e8fce212ec71b1fe9e64339519e98c
                                  • Opcode Fuzzy Hash: f6116b32e3584c46f8d188a6b4506385c15c171a7493cc081346f340a8cf3d0b
                                  • Instruction Fuzzy Hash: 86D0C77564030CBFE710DB80DC46FAA777CD705711F100194FD0497290D6B27D508795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __wfsopen
                                  • String ID:
                                  • API String ID: 197181222-0
                                  • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                  • Instruction ID: 23b2b38885d6ad8a813e7d4e2cec48b4b9a41dac73706f1880b1c81eec4229fb
                                  • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                  • Instruction Fuzzy Hash: 71B0927684020C77DF012E82EC02A693F1A9B50678F808020FB0C18162A673A6A09689
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0021220E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempPathW.KERNELBASE(00000104,?), ref: 0021221A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: PathTemp
                                  • String ID:
                                  • API String ID: 2920410445-0
                                  • Opcode ID: 04217fc33ad5f6aaedfd0471ee7f15335c05a1b852abeb8099391c241a60cfdd
                                  • Instruction ID: 0378b30d255ab82f789cac26a82a5ca958054a2dc169845f4e5a843634be16f2
                                  • Opcode Fuzzy Hash: 04217fc33ad5f6aaedfd0471ee7f15335c05a1b852abeb8099391c241a60cfdd
                                  • Instruction Fuzzy Hash: 75C04C704641199BE715B750DD99AB8726CAF14705F1000D576459109196B05B90CE11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(00000002,00000000), ref: 0023D46A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorLast
                                  • String ID:
                                  • API String ID: 1452528299-0
                                  • Opcode ID: 3c5c7ce021ddbe6db64223446d70504aa83d3671f3eeaf57f7abb128cb886806
                                  • Instruction ID: d1ec7dfb86753f2945ee7607fa597219b36146c09214449b0ea5c71cbadfb31f
                                  • Opcode Fuzzy Hash: 3c5c7ce021ddbe6db64223446d70504aa83d3671f3eeaf57f7abb128cb886806
                                  • Instruction Fuzzy Hash: 707170712187029FC714EF24D4D1B6AB7E1AF98314F04496EF9968B3A2DB30ED19CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction ID: c830e2b15227bf6bf865fbaa03f8fbe311101202f21a5aba58df4ba721ab8394
                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction Fuzzy Hash: A731B371A00109DBC71ADF58D480969F7A6FF59301B658AA9E50ACB653D731EEC1CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01982300 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 01982312
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1241289123.0000000001980000.00000040.00001000.00020000.00000000.sdmp, Offset: 01980000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1980000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
                                  • Instruction ID: 29dd7cc53df8fda27a8f51183249d4ce1d93ac1382310922589655522b03aaa2
                                  • Opcode Fuzzy Hash: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
                                  • Instruction Fuzzy Hash: BCF0C93194010EAFCF00EFA4CA599EEBB74FF04711F504555FA1AA2180DB30AA51CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019829BB Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01982A37
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1241289123.0000000001980000.00000040.00001000.00020000.00000000.sdmp, Offset: 01980000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1980000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: 82a462cccf3506bfd0baf2e7a31b9038e7b0e0c34066bb69f636762cb8e38e8b
                                  • Instruction ID: 0ed91492003bdedc62a2cb4dc6188eee0e2915fecf9ff101483d9956a3fe55c1
                                  • Opcode Fuzzy Hash: 82a462cccf3506bfd0baf2e7a31b9038e7b0e0c34066bb69f636762cb8e38e8b
                                  • Instruction Fuzzy Hash: 0CF01C71E04248DFCB11CB98C944BADBBB4EF55301F2080AAE545A7282C6356A04DB11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 0025CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D2612: GetWindowLongW.USER32(?,000000EB), ref: 001D2623
                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0025CE50
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0025CE91
                                  • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0025CED6
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0025CF00
                                  • SendMessageW.USER32 ref: 0025CF29
                                  • _wcsncpy.LIBCMT ref: 0025CFA1
                                  • GetKeyState.USER32(00000011), ref: 0025CFC2
                                  • GetKeyState.USER32(00000009), ref: 0025CFCF
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0025CFE5
                                  • GetKeyState.USER32(00000010), ref: 0025CFEF
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0025D018
                                  • SendMessageW.USER32 ref: 0025D03F
                                  • SendMessageW.USER32(?,00001030,?,0025B602), ref: 0025D145
                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0025D15B
                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0025D16E
                                  • SetCapture.USER32(?), ref: 0025D177
                                  • ClientToScreen.USER32(?,?), ref: 0025D1DC
                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0025D1E9
                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0025D203
                                  • ReleaseCapture.USER32 ref: 0025D20E
                                  • GetCursorPos.USER32(?), ref: 0025D248
                                  • ScreenToClient.USER32(?,?), ref: 0025D255
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0025D2B1
                                  • SendMessageW.USER32 ref: 0025D2DF
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0025D31C
                                  • SendMessageW.USER32 ref: 0025D34B
                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0025D36C
                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0025D37B
                                  • GetCursorPos.USER32(?), ref: 0025D39B
                                  • ScreenToClient.USER32(?,?), ref: 0025D3A8
                                  • GetParent.USER32(?), ref: 0025D3C8
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0025D431
                                  • SendMessageW.USER32 ref: 0025D462
                                  • ClientToScreen.USER32(?,?), ref: 0025D4C0
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0025D4F0
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0025D51A
                                  • SendMessageW.USER32 ref: 0025D53D
                                  • ClientToScreen.USER32(?,?), ref: 0025D58F
                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0025D5C3
                                    • Part of subcall function 001D25DB: GetWindowLongW.USER32(?,000000EB), ref: 001D25EC
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0025D65F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                  • String ID: @GUI_DRAGID$F$pr)
                                  • API String ID: 3977979337-169570804
                                  • Opcode ID: 20e4398056816cc0dfda9cdee024b4a81bb913563571fb0a740107e004cbdb33
                                  • Instruction ID: fc8808280f72a1d93bcb96b2939f2d716457316798323886f07cd0b7ad829ba5
                                  • Opcode Fuzzy Hash: 20e4398056816cc0dfda9cdee024b4a81bb913563571fb0a740107e004cbdb33
                                  • Instruction Fuzzy Hash: B142AE30114342AFDB21CF28D888FAABBE5FF48315F24051DFA55872A0D7719868CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0025873F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: %d/%02d/%02d
                                  • API String ID: 3850602802-328681919
                                  • Opcode ID: 7fb0a9e2ef047bc10e879ad3828f2443a1b41e535b282daa5009006431135e43
                                  • Instruction ID: 1deafdddf262437cddc539a0467df81d178150a51f45dc3d5a162ca56f569a6f
                                  • Opcode Fuzzy Hash: 7fb0a9e2ef047bc10e879ad3828f2443a1b41e535b282daa5009006431135e43
                                  • Instruction Fuzzy Hash: 4712D171510309ABEB258F24DC49FAB7BF8EF49312F204169F915EA2A1DFB08955CB18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memmove$_memset
                                  • String ID: 0w($DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                  • API String ID: 1357608183-1945848293
                                  • Opcode ID: 270abc35bfa0cb1dc30004545ab7c722cd2005ca0dd38439591c26a64d36ab84
                                  • Instruction ID: 7e62f9419561ef222059221a67ada0048775671a423f2f3cda07be904aac86d5
                                  • Opcode Fuzzy Hash: 270abc35bfa0cb1dc30004545ab7c722cd2005ca0dd38439591c26a64d36ab84
                                  • Instruction Fuzzy Hash: 2193B571E10226EFDB24CF98D881BADB7B1FF48710F25816AE945EB280D7759E91CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32(00000000,?), ref: 001D4A3D
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0020DA8E
                                  • IsIconic.USER32(?), ref: 0020DA97
                                  • ShowWindow.USER32(?,00000009), ref: 0020DAA4
                                  • SetForegroundWindow.USER32(?), ref: 0020DAAE
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0020DAC4
                                  • GetCurrentThreadId.KERNEL32 ref: 0020DACB
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0020DAD7
                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 0020DAE8
                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 0020DAF0
                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 0020DAF8
                                  • SetForegroundWindow.USER32(?), ref: 0020DAFB
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0020DB10
                                  • keybd_event.USER32(00000012,00000000), ref: 0020DB1B
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0020DB25
                                  • keybd_event.USER32(00000012,00000000), ref: 0020DB2A
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0020DB33
                                  • keybd_event.USER32(00000012,00000000), ref: 0020DB38
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0020DB42
                                  • keybd_event.USER32(00000012,00000000), ref: 0020DB47
                                  • SetForegroundWindow.USER32(?), ref: 0020DB4A
                                  • AttachThreadInput.USER32(?,?,00000000), ref: 0020DB71
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 4125248594-2988720461
                                  • Opcode ID: 8d9db5a812132be184ab78badb21e2e902274ab4425f5f9b0d3d862dbad29e81
                                  • Instruction ID: 45bd2710902307e39c631ced94a766986ea704dd5799aade98600e4a3c680c76
                                  • Opcode Fuzzy Hash: 8d9db5a812132be184ab78badb21e2e902274ab4425f5f9b0d3d862dbad29e81
                                  • Instruction Fuzzy Hash: 2831A171A90318BBEB206FA1AD4DF7F7E6CEB44B51F114025FA04EB1D1DAB05D10ABA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(0025F910), ref: 00244284
                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 00244292
                                  • GetClipboardData.USER32(0000000D), ref: 0024429A
                                  • CloseClipboard.USER32 ref: 002442A6
                                  • GlobalLock.KERNEL32(00000000), ref: 002442C2
                                  • CloseClipboard.USER32 ref: 002442CC
                                  • GlobalUnlock.KERNEL32(00000000,00000000), ref: 002442E1
                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 002442EE
                                  • GetClipboardData.USER32(00000001), ref: 002442F6
                                  • GlobalLock.KERNEL32(00000000), ref: 00244303
                                  • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00244337
                                  • CloseClipboard.USER32 ref: 00244447
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                  • String ID:
                                  • API String ID: 3222323430-0
                                  • Opcode ID: 0dff8869ab425cffbc9597721c3e4d392868b4c72f788fd3fc4c976a13bf2af9
                                  • Instruction ID: 4867de0e3b246a126434eeb8baa1ffa542eea6a84ae15349020546d85eac011b
                                  • Opcode Fuzzy Hash: 0dff8869ab425cffbc9597721c3e4d392868b4c72f788fd3fc4c976a13bf2af9
                                  • Instruction Fuzzy Hash: F951AD71214302ABD305FF60ED8AF7E77A8AF94B01F10452AF956D32A1DBB0D9148B66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 0023C9F8
                                  • FindClose.KERNEL32(00000000), ref: 0023CA4C
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0023CA71
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0023CA88
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0023CAAF
                                  • __swprintf.LIBCMT ref: 0023CAFB
                                  • __swprintf.LIBCMT ref: 0023CB3E
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                  • __swprintf.LIBCMT ref: 0023CB92
                                    • Part of subcall function 001F38D8: __woutput_l.LIBCMT ref: 001F3931
                                  • __swprintf.LIBCMT ref: 0023CBE0
                                    • Part of subcall function 001F38D8: __flsbuf.LIBCMT ref: 001F3953
                                    • Part of subcall function 001F38D8: __flsbuf.LIBCMT ref: 001F396B
                                  • __swprintf.LIBCMT ref: 0023CC2F
                                  • __swprintf.LIBCMT ref: 0023CC7E
                                  • __swprintf.LIBCMT ref: 0023CCCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                  • API String ID: 3953360268-2428617273
                                  • Opcode ID: 9311f653946c66073b7b644545eeb7daeb9ca0e41dd24d7a0734e24ebb72cbd5
                                  • Instruction ID: 32b39d1e6e7a945c904daded30e8af7b98afbdc16c21b43de7d575af8c717e7e
                                  • Opcode Fuzzy Hash: 9311f653946c66073b7b644545eeb7daeb9ca0e41dd24d7a0734e24ebb72cbd5
                                  • Instruction Fuzzy Hash: C1A14EB2418315ABC710EF64C985DAFB7ECFFA4704F40491AB596D3291EB34DA08CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 0023F221
                                  • _wcscmp.LIBCMT ref: 0023F236
                                  • _wcscmp.LIBCMT ref: 0023F24D
                                  • GetFileAttributesW.KERNEL32(?), ref: 0023F25F
                                  • SetFileAttributesW.KERNEL32(?,?), ref: 0023F279
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0023F291
                                  • FindClose.KERNEL32(00000000), ref: 0023F29C
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0023F2B8
                                  • _wcscmp.LIBCMT ref: 0023F2DF
                                  • _wcscmp.LIBCMT ref: 0023F2F6
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0023F308
                                  • SetCurrentDirectoryW.KERNEL32(0028A5A0), ref: 0023F326
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0023F330
                                  • FindClose.KERNEL32(00000000), ref: 0023F33D
                                  • FindClose.KERNEL32(00000000), ref: 0023F34F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                  • String ID: *.*
                                  • API String ID: 1803514871-438819550
                                  • Opcode ID: 1d0dd19238567c06c2c58ed7833ef829410584ac82a4254ef8ce9ee014a99997
                                  • Instruction ID: aeda0379ad2d98a8311dee14ec6d3200d69a9d9c72715d1a7914acb7f1e2b9a6
                                  • Opcode Fuzzy Hash: 1d0dd19238567c06c2c58ed7833ef829410584ac82a4254ef8ce9ee014a99997
                                  • Instruction Fuzzy Hash: 6931FAB691124A7ADB50EFB0FD48AEF73AC9F09321F5001B6ED10D30A0EB34DA55CA54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00250AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00250BDE
                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,0025F910,00000000,?,00000000,?,?), ref: 00250C4C
                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00250C94
                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00250D1D
                                  • RegCloseKey.ADVAPI32(?), ref: 0025103D
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0025104A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Close$ConnectCreateRegistryValue
                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                  • API String ID: 536824911-966354055
                                  • Opcode ID: 09e1d950ccf67a0745c2c31561b6edce9e716f96746d5fce5439bc51aea86f00
                                  • Instruction ID: 7675da6619f68f0969f49305e68b2a655385656ed5b86a52a96844e784f0e2fd
                                  • Opcode Fuzzy Hash: 09e1d950ccf67a0745c2c31561b6edce9e716f96746d5fce5439bc51aea86f00
                                  • Instruction Fuzzy Hash: 480290752146129FCB14EF24C895E2AB7E5FF89714F04885DF88A9B3A2CB30EC55CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 0023F37E
                                  • _wcscmp.LIBCMT ref: 0023F393
                                  • _wcscmp.LIBCMT ref: 0023F3AA
                                    • Part of subcall function 002345C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002345DC
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0023F3D9
                                  • FindClose.KERNEL32(00000000), ref: 0023F3E4
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0023F400
                                  • _wcscmp.LIBCMT ref: 0023F427
                                  • _wcscmp.LIBCMT ref: 0023F43E
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0023F450
                                  • SetCurrentDirectoryW.KERNEL32(0028A5A0), ref: 0023F46E
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0023F478
                                  • FindClose.KERNEL32(00000000), ref: 0023F485
                                  • FindClose.KERNEL32(00000000), ref: 0023F497
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                  • String ID: *.*
                                  • API String ID: 1824444939-438819550
                                  • Opcode ID: cc6e3bfffa89624aefcd728676cc894f24e82227f68097b0d85df92572116a93
                                  • Instruction ID: c0f6fbd2475b36dfde20727f655d72225d4a69d687b73b18bce934e564750812
                                  • Opcode Fuzzy Hash: cc6e3bfffa89624aefcd728676cc894f24e82227f68097b0d85df92572116a93
                                  • Instruction Fuzzy Hash: AC31EBB291125A6BDB50EF64FD48AEF77AC9F09325F1001B5FA10D30A0DB74DE64CA54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002281F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0022874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00228766
                                    • Part of subcall function 0022874A: GetLastError.KERNEL32(?,0022822A,?,?,?), ref: 00228770
                                    • Part of subcall function 0022874A: GetProcessHeap.KERNEL32(00000008,?,?,0022822A,?,?,?), ref: 0022877F
                                    • Part of subcall function 0022874A: HeapAlloc.KERNEL32(00000000,?,0022822A,?,?,?), ref: 00228786
                                    • Part of subcall function 0022874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0022879D
                                    • Part of subcall function 002287E7: GetProcessHeap.KERNEL32(00000008,00228240,00000000,00000000,?,00228240,?), ref: 002287F3
                                    • Part of subcall function 002287E7: HeapAlloc.KERNEL32(00000000,?,00228240,?), ref: 002287FA
                                    • Part of subcall function 002287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00228240,?), ref: 0022880B
                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0022825B
                                  • _memset.LIBCMT ref: 00228270
                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0022828F
                                  • GetLengthSid.ADVAPI32(?), ref: 002282A0
                                  • GetAce.ADVAPI32(?,00000000,?), ref: 002282DD
                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002282F9
                                  • GetLengthSid.ADVAPI32(?), ref: 00228316
                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00228325
                                  • HeapAlloc.KERNEL32(00000000), ref: 0022832C
                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0022834D
                                  • CopySid.ADVAPI32(00000000), ref: 00228354
                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00228385
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002283AB
                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002283BF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                  • String ID:
                                  • API String ID: 3996160137-0
                                  • Opcode ID: 4a07845367b85c39eebd5a89f7dba121b0705017fc8a6c0e03f5c04eb6563efc
                                  • Instruction ID: a255ffecaaee9e4c6df913b62e3aaf03587738e8ee1d5ff260ae0aae7e059f27
                                  • Opcode Fuzzy Hash: 4a07845367b85c39eebd5a89f7dba121b0705017fc8a6c0e03f5c04eb6563efc
                                  • Instruction Fuzzy Hash: 30615A7191121ABBDF00DFA4ED48AEEBBB9FF04700F188169F915A7291DB31DA15CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJ'$UCP)$UTF)$UTF16)
                                  • API String ID: 0-1028291396
                                  • Opcode ID: 87e1e95ed3f9cef9dbca5e390b470f59fbb341cf132d7fee53e1d6f9c1bb0280
                                  • Instruction ID: af660ec29281329253dcb67471f60999205f038103e256106d14a06ad027fdb4
                                  • Opcode Fuzzy Hash: 87e1e95ed3f9cef9dbca5e390b470f59fbb341cf132d7fee53e1d6f9c1bb0280
                                  • Instruction Fuzzy Hash: 5872C471E10629DBDB24CF99D880BADB7B5FF68310F54816AE849EB280D7709D91CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00250665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00250038,?,?), ref: 002510BC
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00250737
                                    • Part of subcall function 001D9997: __itow.LIBCMT ref: 001D99C2
                                    • Part of subcall function 001D9997: __swprintf.LIBCMT ref: 001D9A0C
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002507D6
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0025086E
                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00250AAD
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00250ABA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                  • String ID:
                                  • API String ID: 1240663315-0
                                  • Opcode ID: ba2d9761e599a866ea19539faf7ca4557f7a92d386c8ce901ace3960cb1eded7
                                  • Instruction ID: 85b5258d39007bd036ff4727fb4850835f0819e70df54b7a8f042e29182f4fab
                                  • Opcode Fuzzy Hash: ba2d9761e599a866ea19539faf7ca4557f7a92d386c8ce901ace3960cb1eded7
                                  • Instruction Fuzzy Hash: 46E16C31214311AFCB14DF25C895E2ABBE4EF88714B04896DF84ADB2A2DB30ED15CB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00230219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 00230241
                                  • GetAsyncKeyState.USER32(000000A0), ref: 002302C2
                                  • GetKeyState.USER32(000000A0), ref: 002302DD
                                  • GetAsyncKeyState.USER32(000000A1), ref: 002302F7
                                  • GetKeyState.USER32(000000A1), ref: 0023030C
                                  • GetAsyncKeyState.USER32(00000011), ref: 00230324
                                  • GetKeyState.USER32(00000011), ref: 00230336
                                  • GetAsyncKeyState.USER32(00000012), ref: 0023034E
                                  • GetKeyState.USER32(00000012), ref: 00230360
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00230378
                                  • GetKeyState.USER32(0000005B), ref: 0023038A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: 068844c16ccb66da109b2f02939404ffd946ea5067580e5882a98c152408d65b
                                  • Instruction ID: 4b66f31f654e983dd756cab91dd57fc9a7b0915b4a5de0866a638f67b7a63ec8
                                  • Opcode Fuzzy Hash: 068844c16ccb66da109b2f02939404ffd946ea5067580e5882a98c152408d65b
                                  • Instruction Fuzzy Hash: C1410CA05247CB6EFF714E6484A83B6BEA0AF11340F4840DDD9C5471C2E7E45DE487B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00244458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                  • String ID:
                                  • API String ID: 1737998785-0
                                  • Opcode ID: f6a70eb84ee7cad02bd6c673daaf5d0e1faf0954d15a4897cfa91f288b9738f4
                                  • Instruction ID: 7c4851b17a694d12659a993e33e5c2e7366ba737a1f2eb85c69ebff9c412f5aa
                                  • Opcode Fuzzy Hash: f6a70eb84ee7cad02bd6c673daaf5d0e1faf0954d15a4897cfa91f288b9738f4
                                  • Instruction Fuzzy Hash: 1D21B036210221AFDB14AF60FD4DB6E77A8EF14716F10806AF906DB2B1DB75AD10CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00233A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001D48A1,?,?,001D37C0,?), ref: 001D48CE
                                    • Part of subcall function 00234CD3: GetFileAttributesW.KERNEL32(?,00233947), ref: 00234CD4
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00233ADF
                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00233B87
                                  • MoveFileW.KERNEL32(?,?), ref: 00233B9A
                                  • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00233BB7
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00233BD9
                                  • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00233BF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                  • String ID: \*.*
                                  • API String ID: 4002782344-1173974218
                                  • Opcode ID: 3c18a0ff8d07f6c849173a71112e8877dc365fb36e0b6beff28d8c632f06ed9f
                                  • Instruction ID: 3f766382b0fa5c8e7136f871aac9dd669da0053a03995f388e341662a2851905
                                  • Opcode Fuzzy Hash: 3c18a0ff8d07f6c849173a71112e8877dc365fb36e0b6beff28d8c632f06ed9f
                                  • Instruction Fuzzy Hash: 4151B27180525D9BCF05EFA0DE929EDB779AF24304F2441AAE402B7191EF306F09CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                  • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0023F6AB
                                  • Sleep.KERNEL32(0000000A), ref: 0023F6DB
                                  • _wcscmp.LIBCMT ref: 0023F6EF
                                  • _wcscmp.LIBCMT ref: 0023F70A
                                  • FindNextFileW.KERNEL32(?,?), ref: 0023F7A8
                                  • FindClose.KERNEL32(00000000), ref: 0023F7BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                  • String ID: *.*
                                  • API String ID: 713712311-438819550
                                  • Opcode ID: db7d1e98dbc4e50fc3cba9ef9b34c490d0beadc32aadcb9608184ccb7f74db14
                                  • Instruction ID: 81c69b534bf9c8978bf8f83ba77e3e2f6fc146b81631c20ad38f33ad1707c398
                                  • Opcode Fuzzy Hash: db7d1e98dbc4e50fc3cba9ef9b34c490d0beadc32aadcb9608184ccb7f74db14
                                  • Instruction Fuzzy Hash: 19419EB1D2021A9BCF51DF64DD89AEEBBB8FF15310F144566E814A32A0EB309E54CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                  • API String ID: 0-1546025612
                                  • Opcode ID: 943ead7d8a3d424a3f9e3cbf137cc0fc4dc7fac47f51980cbf44b09b70e39aaa
                                  • Instruction ID: a9d21e251375c359381942b78d93f5b60d451ac9d1845eb76f665405f2f36984
                                  • Opcode Fuzzy Hash: 943ead7d8a3d424a3f9e3cbf137cc0fc4dc7fac47f51980cbf44b09b70e39aaa
                                  • Instruction Fuzzy Hash: 33A28F70E0465ACBDF28CF59C9907EEB7B1BF64314F2581AAD856A7280D7309ED1CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID:
                                  • API String ID: 4104443479-0
                                  • Opcode ID: e8d18d450e8a8dd797be7dfddafe2b426c174b704f69127f2c9020d672e9e040
                                  • Instruction ID: a42671da5f8d71a04633b8af156163a162154ebba984cd6e9cce95a1f32eaea9
                                  • Opcode Fuzzy Hash: e8d18d450e8a8dd797be7dfddafe2b426c174b704f69127f2c9020d672e9e040
                                  • Instruction Fuzzy Hash: B4129C70A00A19EFDF14DFA5D985AEEB7F6FF58304F104129E406A7292EB35AD21CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00228CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00228D0D
                                    • Part of subcall function 00228CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00228D3A
                                    • Part of subcall function 00228CC3: GetLastError.KERNEL32 ref: 00228D47
                                  • ExitWindowsEx.USER32(?,00000000), ref: 0023549B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                  • String ID: $@$SeShutdownPrivilege
                                  • API String ID: 2234035333-194228
                                  • Opcode ID: d5594968d518c4f1b6ebaecf3d544704ac70bde4802ac299dda79c5bc28ec195
                                  • Instruction ID: d7b2509c44f9155ab1fb662352b1ae5b7ee27f973260f19a3272a129e0d29257
                                  • Opcode Fuzzy Hash: d5594968d518c4f1b6ebaecf3d544704ac70bde4802ac299dda79c5bc28ec195
                                  • Instruction Fuzzy Hash: 6C014CB1675B322AE72C6E74FC4ABB67258EB00353F240021FF0FD20D3DA904CA081A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00246596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002465EF
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002465FE
                                  • bind.WSOCK32(00000000,?,00000010), ref: 0024661A
                                  • listen.WSOCK32(00000000,00000005), ref: 00246629
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00246643
                                  • closesocket.WSOCK32(00000000,00000000), ref: 00246657
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                  • String ID:
                                  • API String ID: 1279440585-0
                                  • Opcode ID: 07c46548d9e8c9f1a99aa26f39ccd9dd84a64e066baaca17152e343e7330e844
                                  • Instruction ID: 16034ffbafc879097092d3bead9d000ecb9c350af83abeab77742dd7bb3d65e2
                                  • Opcode Fuzzy Hash: 07c46548d9e8c9f1a99aa26f39ccd9dd84a64e066baaca17152e343e7330e844
                                  • Instruction Fuzzy Hash: A121EA31210210AFCB04AF24E98DB2EB3A8EF49321F11816AE916A73D1CB74AC108B56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228AF8 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00228B2A
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00228B31
                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00228B40
                                  • CloseHandle.KERNEL32(00000004), ref: 00228B4B
                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00228B7A
                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00228B8E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                  • String ID:
                                  • API String ID: 1413079979-0
                                  • Opcode ID: 7342a17a9aaeab32de06fc65990ee4de3eee0af274aa91df80ba18c1f3cd890d
                                  • Instruction ID: 21533360f604665d4ed2fa505ef7fa655b6db4da7c61325a9b2dfb48be8ba04a
                                  • Opcode Fuzzy Hash: 7342a17a9aaeab32de06fc65990ee4de3eee0af274aa91df80ba18c1f3cd890d
                                  • Instruction Fuzzy Hash: 41113AB250124ABFDF018FA4ED48EEE7BA9EB08309F044069FA04E2160C675CD60EB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001F0FF6: std::exception::exception.LIBCMT ref: 001F102C
                                    • Part of subcall function 001F0FF6: __CxxThrowException@8.LIBCMT ref: 001F1041
                                  • _memmove.LIBCMT ref: 0022062F
                                  • _memmove.LIBCMT ref: 00220744
                                  • _memmove.LIBCMT ref: 002207EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memmove$Exception@8Throwstd::exception::exception
                                  • String ID:
                                  • API String ID: 1300846289-0
                                  • Opcode ID: 439151a7afaf6bbd825ca1565a55e8951cfa8593d20c9e1291833f0928d6e383
                                  • Instruction ID: 12e1872fc11c11a741a7cf7ec36b4210d30e017b05ba9e0e8091553dccedb8ee
                                  • Opcode Fuzzy Hash: 439151a7afaf6bbd825ca1565a55e8951cfa8593d20c9e1291833f0928d6e383
                                  • Instruction Fuzzy Hash: 730290B0A10119EBDF04DF65E981ABEBBB5FF54300F148069E806DB296EB31D961CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D2612: GetWindowLongW.USER32(?,000000EB), ref: 001D2623
                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 001D19FA
                                  • GetSysColor.USER32(0000000F), ref: 001D1A4E
                                  • SetBkColor.GDI32(?,00000000), ref: 001D1A61
                                    • Part of subcall function 001D1290: DefDlgProcW.USER32(?,00000020,?), ref: 001D12D8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ColorProc$LongWindow
                                  • String ID:
                                  • API String ID: 3744519093-0
                                  • Opcode ID: f1f133dd75ec2ea40c461b7871cec2fc3004c1c6c0d3af471c2c20a43a467b23
                                  • Instruction ID: 67ec65b41437f377944ca041554d5960f4e23c5813189b96aebc6385e3e90363
                                  • Opcode Fuzzy Hash: f1f133dd75ec2ea40c461b7871cec2fc3004c1c6c0d3af471c2c20a43a467b23
                                  • Instruction Fuzzy Hash: E3A166711252A5BEEB3DAF289C58DBF359CDB42346B25011BF802D73D6DB20CC2182B5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00246A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002480A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002480CB
                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00246AB1
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00246ADA
                                  • bind.WSOCK32(00000000,?,00000010), ref: 00246B13
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00246B20
                                  • closesocket.WSOCK32(00000000,00000000), ref: 00246B34
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                  • String ID:
                                  • API String ID: 99427753-0
                                  • Opcode ID: 9e21ab92b926856dc74b0db3b19c798c5f9ee1404b57fc1913937b54e4d2ad84
                                  • Instruction ID: 928d05e8ccda4f8f5e1840c5673df25d495ee7a6a6eb85775b978405ff7fc729
                                  • Opcode Fuzzy Hash: 9e21ab92b926856dc74b0db3b19c798c5f9ee1404b57fc1913937b54e4d2ad84
                                  • Instruction Fuzzy Hash: 9541C575710210AFEB14BF64DC8AF7EB7A9DB15714F04805AF91AAB3C2DB709D008B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002555FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                  • String ID:
                                  • API String ID: 292994002-0
                                  • Opcode ID: 302e45bb3412daf5aff7bc1f94030c562cf95bc2da99779f0bd12f3deaebc713
                                  • Instruction ID: dc4cf3b105180e53d217f171f385c4fbef5a49c8f0863c9f3b93c6aa84b17ec6
                                  • Opcode Fuzzy Hash: 302e45bb3412daf5aff7bc1f94030c562cf95bc2da99779f0bd12f3deaebc713
                                  • Instruction Fuzzy Hash: E511B232310A716FE7212F26EC68B2FB79CEF54722B814029F806D7241CB70DD118AA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 0023C69D
                                  • CoCreateInstance.OLE32(00262D6C,00000000,00000001,00262BDC,?), ref: 0023C6B5
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                  • CoUninitialize.OLE32 ref: 0023C922
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize_memmove
                                  • String ID: .lnk
                                  • API String ID: 2683427295-24824748
                                  • Opcode ID: 40aed780337ccd7e0807f9ea06b08ba53bdfb157cd7710d82aca2e0216974592
                                  • Instruction ID: 8b1abce69fa0bc7e701718960b61385ddb656929c9b19337676afda4933e7941
                                  • Opcode Fuzzy Hash: 40aed780337ccd7e0807f9ea06b08ba53bdfb157cd7710d82aca2e0216974592
                                  • Instruction Fuzzy Hash: 0AA12B72118205AFD700EF64C881EABB7ECFF95704F00495DF156972A2EB71EA49CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00211D88,?), ref: 0024C312
                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0024C324
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                  • API String ID: 2574300362-1816364905
                                  • Opcode ID: bb3c9841d7ba957c13cc2e831079ffee4f0653454985dde8fdf1d814c2a2f94a
                                  • Instruction ID: 6e081798ea25be41aa3854cb45018cdd089b2c0af233d6009fa521b7aa15a56f
                                  • Opcode Fuzzy Hash: bb3c9841d7ba957c13cc2e831079ffee4f0653454985dde8fdf1d814c2a2f94a
                                  • Instruction Fuzzy Hash: 8EE0C274221703CFCBB45F29D908A467AD4EF0D306F90C479E889C62A0E770E860CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __itow__swprintf
                                  • String ID:
                                  • API String ID: 674341424-0
                                  • Opcode ID: 056bb2aee33dfb181de643328925031070ddd38c6e7763684a28a1c3d046d562
                                  • Instruction ID: a237d71c86008c5c4311a7c724566b22cf06ee97699dafad19960ec04449a381
                                  • Opcode Fuzzy Hash: 056bb2aee33dfb181de643328925031070ddd38c6e7763684a28a1c3d046d562
                                  • Instruction Fuzzy Hash: A222BB716187419FC724DF24C885BAFB7E4AF98304F10492DF8AA97391DB70EA44CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 0024F151
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0024F15F
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                  • Process32NextW.KERNEL32(00000000,?), ref: 0024F21F
                                  • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0024F22E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                  • String ID:
                                  • API String ID: 2576544623-0
                                  • Opcode ID: 3816cbd3798c633b5c8df5782e7bfcd2a2e19deed4da58409d526eb54e43209c
                                  • Instruction ID: 3c0fce8f5a64d9e0af7e4cb0859b9f1e6e8b1f05917068f0d57abf14e11d89f1
                                  • Opcode Fuzzy Hash: 3816cbd3798c633b5c8df5782e7bfcd2a2e19deed4da58409d526eb54e43209c
                                  • Instruction Fuzzy Hash: C1518F71514711AFD354EF24DC85E6BB7E8FFA4710F10482EF496972A1EB70A904CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0022EB19
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: lstrlen
                                  • String ID: ($|
                                  • API String ID: 1659193697-1631851259
                                  • Opcode ID: 35f46228239753ef096410a105270eb28d6dbd45fad68d874c83c7b8a5776087
                                  • Instruction ID: bcf273688fe28cbf74bc719adb338ae74c638380d4de24b0aa9c58e418a9c82b
                                  • Opcode Fuzzy Hash: 35f46228239753ef096410a105270eb28d6dbd45fad68d874c83c7b8a5776087
                                  • Instruction Fuzzy Hash: A8325775A10715AFCB28CF59D481A6AB7F0FF48320B16C56EE89ACB3A1D770E951CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002425E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 002426D5
                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0024270C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Internet$AvailableDataFileQueryRead
                                  • String ID:
                                  • API String ID: 599397726-0
                                  • Opcode ID: 3d809d3c7a0b67ea6ccfa240d7d96e9140fdaa93189ca8a6cd1ff62d6a796411
                                  • Instruction ID: 8e6c1dcff355f8d677cc9089446de162f6190084839a180218fb65f5ba92ad0f
                                  • Opcode Fuzzy Hash: 3d809d3c7a0b67ea6ccfa240d7d96e9140fdaa93189ca8a6cd1ff62d6a796411
                                  • Instruction Fuzzy Hash: A341287152030AFFEB28DF56DC85EBBB7BCEB40724F50406AF601A6140EBB09D59DA54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0023B5AE
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0023B608
                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0023B655
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DiskFreeSpace
                                  • String ID:
                                  • API String ID: 1682464887-0
                                  • Opcode ID: 5127376fc60b8c205581fb23b824c2a8f1e47c0d230b14ae9b6dfe55431596c7
                                  • Instruction ID: a4067c2e7056f688fa9c265480dea1acca9d5f7ea7daa5023c97eb8429dc9334
                                  • Opcode Fuzzy Hash: 5127376fc60b8c205581fb23b824c2a8f1e47c0d230b14ae9b6dfe55431596c7
                                  • Instruction Fuzzy Hash: 4D21A475A10618EFCB00EF65E884EADBBB8FF48310F0480AAE945EB351CB319915CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001F0FF6: std::exception::exception.LIBCMT ref: 001F102C
                                    • Part of subcall function 001F0FF6: __CxxThrowException@8.LIBCMT ref: 001F1041
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00228D0D
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00228D3A
                                  • GetLastError.KERNEL32 ref: 00228D47
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                  • String ID:
                                  • API String ID: 1922334811-0
                                  • Opcode ID: be998e04556a6fd1fa38a52d4cd03be9b8f41c04f43458153c38ab7d93f0e2bb
                                  • Instruction ID: 9c411d5afbcb27bf47b2f9d22d92dcaf520606af2881ecc99c37095ca740d793
                                  • Opcode Fuzzy Hash: be998e04556a6fd1fa38a52d4cd03be9b8f41c04f43458153c38ab7d93f0e2bb
                                  • Instruction Fuzzy Hash: 1511B2B1424309BFD7289F64EC89D6BB7BCEB04711B20852EF44583241DF70EC418A60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00234021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0023404B
                                  • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00234088
                                  • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00234091
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CloseControlCreateDeviceFileHandle
                                  • String ID:
                                  • API String ID: 33631002-0
                                  • Opcode ID: b57c720ae5d1f537a650051949fa3e80b57600f64821c389981c02ebe6c68424
                                  • Instruction ID: 55f459e967d348673df2c085664552a3e3573305ddfe993e43987bc465a0ed97
                                  • Opcode Fuzzy Hash: b57c720ae5d1f537a650051949fa3e80b57600f64821c389981c02ebe6c68424
                                  • Instruction Fuzzy Hash: D01186B1E14225BEE7149BE8DC48FAFBBBCEB08710F000556BA04E7191C2745D1447A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00234C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00234C2C
                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00234C43
                                  • FreeSid.ADVAPI32(?), ref: 00234C53
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                  • String ID:
                                  • API String ID: 3429775523-0
                                  • Opcode ID: cf06df4f1bccad78a74e545a8ae31435805c5ee114277aa028cad8e67f405ebc
                                  • Instruction ID: e51fe73cc9635c908dcb5cc2f3541e429e4dbcfc88b4a41659649a4b85463932
                                  • Opcode Fuzzy Hash: cf06df4f1bccad78a74e545a8ae31435805c5ee114277aa028cad8e67f405ebc
                                  • Instruction Fuzzy Hash: 2EF06D75A1130DBFDF04DFF0ED89ABEBBBCEF08211F0044A9A902E2181E7706A048B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00238B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • __time64.LIBCMT ref: 00238B25
                                    • Part of subcall function 001F543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,002391F8,00000000,?,?,?,?,002393A9,00000000,?), ref: 001F5443
                                    • Part of subcall function 001F543A: __aulldiv.LIBCMT ref: 001F5463
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Time$FileSystem__aulldiv__time64
                                  • String ID: 0u)
                                  • API String ID: 2893107130-3419416925
                                  • Opcode ID: 5ab8a2f0c84ca66dd602386311b20d9cafa85ca460aff9c626d43b22b5dc68f5
                                  • Instruction ID: 8e529093fdf628389f8bed5bd4310ade472bbaa67659536765555bbda2b20d72
                                  • Opcode Fuzzy Hash: 5ab8a2f0c84ca66dd602386311b20d9cafa85ca460aff9c626d43b22b5dc68f5
                                  • Instruction Fuzzy Hash: BB21D272635611CBC729CF25E441A52B3E1EBA4311F288E6DE5E5CF2D0CA74B905CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001DE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc087723f4c7bfc0f7ee220dc27045eb26ce5ba77b4c837a46419c5e53717f31
                                  • Instruction ID: 94882cc77bb28fd86a6e4b01879b27377fdce9ab5a7c64e995ce3d3c734b9867
                                  • Opcode Fuzzy Hash: bc087723f4c7bfc0f7ee220dc27045eb26ce5ba77b4c837a46419c5e53717f31
                                  • Instruction Fuzzy Hash: 2B22BE74A0021ADFDB24EF54C480ABEBBF1FF18301F14856AE856AF341E734A985CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 0023C966
                                  • FindClose.KERNEL32(00000000), ref: 0023C996
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Find$CloseFileFirst
                                  • String ID:
                                  • API String ID: 2295610775-0
                                  • Opcode ID: 57859d32e17063e53d29df245c79569a8d70717c9d5e30dae64089c1af854aff
                                  • Instruction ID: fe4a0cbfb0a844e7d8ebdaaaa08af2f0c8069eccc331dcfacd869dafbae37ac9
                                  • Opcode Fuzzy Hash: 57859d32e17063e53d29df245c79569a8d70717c9d5e30dae64089c1af854aff
                                  • Instruction Fuzzy Hash: 9C11A1726102109FD710EF29D849A2AF7E9FF94324F00855EF8A9D73A1DB30AC00CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0024977D,?,0025FB84,?), ref: 0023A302
                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0024977D,?,0025FB84,?), ref: 0023A314
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorFormatLastMessage
                                  • String ID:
                                  • API String ID: 3479602957-0
                                  • Opcode ID: 385bf0122eb3b8ad30986580e1e40f760a97e6c9cc7eb4f8b999f2c293d908b7
                                  • Instruction ID: bf1093d07c9fa6b13d9464e13063d437c47cf8004915a5b57a9b27b2f231a06d
                                  • Opcode Fuzzy Hash: 385bf0122eb3b8ad30986580e1e40f760a97e6c9cc7eb4f8b999f2c293d908b7
                                  • Instruction Fuzzy Hash: 6FF0E23151432DBBEB20AFA4CC4DFEA736CBF08361F0041A6B809D3181D7309910CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00228851), ref: 00228728
                                  • CloseHandle.KERNEL32(?,?,00228851), ref: 0022873A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AdjustCloseHandlePrivilegesToken
                                  • String ID:
                                  • API String ID: 81990902-0
                                  • Opcode ID: cea051e9738a500b19f3649a16ca36ce3ba130f01d3f687938f14c10045f895f
                                  • Instruction ID: 1228c38032c9003f5ecc41cf7e75415060da51ef7c50394df90ce19b16545330
                                  • Opcode Fuzzy Hash: cea051e9738a500b19f3649a16ca36ce3ba130f01d3f687938f14c10045f895f
                                  • Instruction Fuzzy Hash: 1CE0B676015651FEEB652B60FD09D77BBA9EB043517248829B59680470DB72AC90DB10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,001F8F97,?,?,?,00000001), ref: 001FA39A
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 001FA3A3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 03ace973cb8dc87000853568e0b532e56c5ae5c3bec951fff798c8785a1ccc4a
                                  • Instruction ID: 71753bc35278d18532d635bb786435f0dc37328864c3d68b297fd43a0f1ef3a8
                                  • Opcode Fuzzy Hash: 03ace973cb8dc87000853568e0b532e56c5ae5c3bec951fff798c8785a1ccc4a
                                  • Instruction Fuzzy Hash: 97B09231054348BBEA802F91FE0DB893F68EB44AA3F4040A0FE0D84070CB7254508A99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc24c74c4e96c2a156d444adab980cda483e89a71ea40cbd4833416da4b1fd4b
                                  • Instruction ID: ae7912606233d2675596f7419a154eca8098bbbe4a69b3996409356a406d780f
                                  • Opcode Fuzzy Hash: cc24c74c4e96c2a156d444adab980cda483e89a71ea40cbd4833416da4b1fd4b
                                  • Instruction Fuzzy Hash: F7322632D69F054DD7239634E836335A248AFB73D8F15D73BF81AB5AA6EB68C4834100
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 111d77d7c4cf600e13abc669f5791b26e3b7749ec5c8fb4976626422cdc5466d
                                  • Instruction ID: e7b0b6363cda4a35f986f848802fbdace90fe6c7bdb2439c47645661210e06e1
                                  • Opcode Fuzzy Hash: 111d77d7c4cf600e13abc669f5791b26e3b7749ec5c8fb4976626422cdc5466d
                                  • Instruction Fuzzy Hash: 57B12220E2AF414DD32396399839336BB4CAFBB2C5F51D71BFC2670E62EB6285934541
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002441FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • BlockInput.USER32(00000001), ref: 00244218
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BlockInput
                                  • String ID:
                                  • API String ID: 3456056419-0
                                  • Opcode ID: 7ae051bc936739028f44f8a9204d7acb6df414e8f1d4c3d4883c9cd964974819
                                  • Instruction ID: 16ab0c78ae77bee5cde667e0d28504ae9afb6573458476f81e14462e4eab35e7
                                  • Opcode Fuzzy Hash: 7ae051bc936739028f44f8a9204d7acb6df414e8f1d4c3d4883c9cd964974819
                                  • Instruction Fuzzy Hash: D4E012322502145FC710EF59D444A5AB7D8AF64761F008016FC49C7351DBB0A8408B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00234EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00234F18
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: mouse_event
                                  • String ID:
                                  • API String ID: 2434400541-0
                                  • Opcode ID: 0dda59a673cf950e6d6921ab8ec194f222202f3fb338115b2bbcfded83b9852a
                                  • Instruction ID: ccfad0fff2bc2dc3655845c3d4f6937f6045bfff997039fd81f7a1739811a727
                                  • Opcode Fuzzy Hash: 0dda59a673cf950e6d6921ab8ec194f222202f3fb338115b2bbcfded83b9852a
                                  • Instruction Fuzzy Hash: 12D09EF417460679FC186F21AD1FF771109E350792FDC59C9720195CC1A8E57875E435
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002288D1), ref: 00228CB3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: LogonUser
                                  • String ID:
                                  • API String ID: 1244722697-0
                                  • Opcode ID: 1c855f72ca8ceb47f65b38693f23bdca91b4f4db6bffbb26490c16bf7b008748
                                  • Instruction ID: bfb5d5664d496528cce6823cdf06fe6bdae6ccbafd04440968e7cf774014e569
                                  • Opcode Fuzzy Hash: 1c855f72ca8ceb47f65b38693f23bdca91b4f4db6bffbb26490c16bf7b008748
                                  • Instruction Fuzzy Hash: F0D05E3226060EABEF418EA4ED05EAE3B69EB04B01F408111FE15C50A1C775D835AB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00212230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUserNameW.ADVAPI32(?,?), ref: 00212242
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: NameUser
                                  • String ID:
                                  • API String ID: 2645101109-0
                                  • Opcode ID: 522209b90fc7eac8dfa8e1b319ed06f2620cfdffe0725b0ffb838f5831ca8d4e
                                  • Instruction ID: 2cb774f7621c064d95f1459c2e9e324efc9296cde924304acc105f1896bd84d6
                                  • Opcode Fuzzy Hash: 522209b90fc7eac8dfa8e1b319ed06f2620cfdffe0725b0ffb838f5831ca8d4e
                                  • Instruction Fuzzy Hash: D8C04CF1815109DBDB05DB90EA88DEE77BCAB04315F144055A101F2140D7749B548A71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001FA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 001FA36A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: b711d621840167b627acd1f39cb5703424bc5404ccc6e70f80c787fc78138b18
                                  • Instruction ID: b2d5dad2c72869ed224e81a167769a4a359fbff7f4514031cd111bd7c7d03197
                                  • Opcode Fuzzy Hash: b711d621840167b627acd1f39cb5703424bc5404ccc6e70f80c787fc78138b18
                                  • Instruction Fuzzy Hash: 3FA0113000020CBB8A002F82FE08888BFACEA002A2B0080A0FC0C800328B32A8208A88
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E8A0E Relevance: .6, Instructions: 608COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a4e92d1541c64d98c12908bf55ff76697346ce3c1d5bcec4c34923c1cd44d23
                                  • Instruction ID: 61cabc5d2dba1179ec49295b942f6797e6a4d69dd4043a62f19d8a9ae3c2f759
                                  • Opcode Fuzzy Hash: 9a4e92d1541c64d98c12908bf55ff76697346ce3c1d5bcec4c34923c1cd44d23
                                  • Instruction Fuzzy Hash: 80224930511EB6DBCF2C8FA6D4946BDB7B1EB02300F75846AD84A9B291DB30DD91CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F2405 Relevance: .3, Instructions: 345COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                  • Instruction ID: 670379be702778595d0b7321c732f77871a0d3c923f7e64a8b5ccea0a08ae9ed
                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                  • Instruction Fuzzy Hash: C8C1A4322055974ADF2D863AD43413EFAE15EA27B131A075DE9B3CB5D4EF30D628E620
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F283A Relevance: .3, Instructions: 341COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                  • Instruction ID: bf01078b78afe3be3651e6826077ee7d11011eb485a5ebc6f600a82a31c50fea
                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                  • Instruction Fuzzy Hash: 7FC1A4322055A749DF2D463AD43403EBBE15BA27B131A076DE9B3DB5D4EF30D628E620
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002537F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperBuffW.USER32(?,?,0025F910), ref: 002538AF
                                  • IsWindowVisible.USER32(?), ref: 002538D3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BuffCharUpperVisibleWindow
                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                  • API String ID: 4105515805-45149045
                                  • Opcode ID: 20915e480d1d8516442127a5abbdb3d3a459b03187cd476ffd888daecc9b16f9
                                  • Instruction ID: b2e1cafc0fac9830ddfa1436fced7fa49129c0b7ccbdba55523f4166f01e2cb5
                                  • Opcode Fuzzy Hash: 20915e480d1d8516442127a5abbdb3d3a459b03187cd476ffd888daecc9b16f9
                                  • Instruction Fuzzy Hash: 84D1E130224306DBCB14FF50C451A6AB7A1AFA5395F00545DBC865B3E3CB31EE2ACB45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetTextColor.GDI32(?,00000000), ref: 0025A89F
                                  • GetSysColorBrush.USER32(0000000F), ref: 0025A8D0
                                  • GetSysColor.USER32(0000000F), ref: 0025A8DC
                                  • SetBkColor.GDI32(?,000000FF), ref: 0025A8F6
                                  • SelectObject.GDI32(?,?), ref: 0025A905
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0025A930
                                  • GetSysColor.USER32(00000010), ref: 0025A938
                                  • CreateSolidBrush.GDI32(00000000), ref: 0025A93F
                                  • FrameRect.USER32(?,?,00000000), ref: 0025A94E
                                  • DeleteObject.GDI32(00000000), ref: 0025A955
                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0025A9A0
                                  • FillRect.USER32(?,?,?), ref: 0025A9D2
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0025A9FD
                                    • Part of subcall function 0025AB60: GetSysColor.USER32(00000012), ref: 0025AB99
                                    • Part of subcall function 0025AB60: SetTextColor.GDI32(?,?), ref: 0025AB9D
                                    • Part of subcall function 0025AB60: GetSysColorBrush.USER32(0000000F), ref: 0025ABB3
                                    • Part of subcall function 0025AB60: GetSysColor.USER32(0000000F), ref: 0025ABBE
                                    • Part of subcall function 0025AB60: GetSysColor.USER32(00000011), ref: 0025ABDB
                                    • Part of subcall function 0025AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0025ABE9
                                    • Part of subcall function 0025AB60: SelectObject.GDI32(?,00000000), ref: 0025ABFA
                                    • Part of subcall function 0025AB60: SetBkColor.GDI32(?,00000000), ref: 0025AC03
                                    • Part of subcall function 0025AB60: SelectObject.GDI32(?,?), ref: 0025AC10
                                    • Part of subcall function 0025AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0025AC2F
                                    • Part of subcall function 0025AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0025AC46
                                    • Part of subcall function 0025AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0025AC5B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                  • String ID:
                                  • API String ID: 4124339563-0
                                  • Opcode ID: 2ef37a4c653e159dff5990c19a00670ccb62c4e7ff0c50cd607043fc38ecb62f
                                  • Instruction ID: 7dce589fff124010a51db4381f544e10437483b6ae268758ade568fd81ecf1f2
                                  • Opcode Fuzzy Hash: 2ef37a4c653e159dff5990c19a00670ccb62c4e7ff0c50cd607043fc38ecb62f
                                  • Instruction Fuzzy Hash: 6EA19E72018301EFD7509F64ED0DA6BBBA9FF88322F104B29F962961E0D770D848CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(?,?,?), ref: 001D2CA2
                                  • DeleteObject.GDI32(00000000), ref: 001D2CE8
                                  • DeleteObject.GDI32(00000000), ref: 001D2CF3
                                  • DestroyIcon.USER32(00000000,?,?,?), ref: 001D2CFE
                                  • DestroyWindow.USER32(00000000,?,?,?), ref: 001D2D09
                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 0020C68B
                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0020C6C4
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0020CAED
                                    • Part of subcall function 001D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001D2036,?,00000000,?,?,?,?,001D16CB,00000000,?), ref: 001D1B9A
                                  • SendMessageW.USER32(?,00001053), ref: 0020CB2A
                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0020CB41
                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0020CB57
                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0020CB62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                  • String ID: 0
                                  • API String ID: 464785882-4108050209
                                  • Opcode ID: 40b41c0b324115a377d2f75f51c95f55ff9bcfd75fa257be03a5d6c7ac20e7e1
                                  • Instruction ID: 4c08c65296240a1d8fc08cfad75d08dc797f4ee47fdf80194868b05cb930d8fa
                                  • Opcode Fuzzy Hash: 40b41c0b324115a377d2f75f51c95f55ff9bcfd75fa257be03a5d6c7ac20e7e1
                                  • Instruction Fuzzy Hash: 5C12BF70220302EFCB25CF24C988BAAB7E5BF15311F64466AE855CB2A2C731EC52CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002477BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(00000000), ref: 002477F1
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002478B0
                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002478EE
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00247900
                                  • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00247946
                                  • GetClientRect.USER32(00000000,?), ref: 00247952
                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00247996
                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002479A5
                                  • GetStockObject.GDI32(00000011), ref: 002479B5
                                  • SelectObject.GDI32(00000000,00000000), ref: 002479B9
                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002479C9
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002479D2
                                  • DeleteDC.GDI32(00000000), ref: 002479DB
                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00247A07
                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 00247A1E
                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00247A59
                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00247A6D
                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00247A7E
                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00247AAE
                                  • GetStockObject.GDI32(00000011), ref: 00247AB9
                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00247AC4
                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00247ACE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                  • API String ID: 2910397461-517079104
                                  • Opcode ID: 0c5ee7d7e5cf7983d0ad4bf4db3b554a1af7f7309cb84fb1a586f48f2319fd2b
                                  • Instruction ID: 1c8b7056cb2d984569b4c81c357c72c9d0c6bb513fd31f5c5046b1595f41cea6
                                  • Opcode Fuzzy Hash: 0c5ee7d7e5cf7983d0ad4bf4db3b554a1af7f7309cb84fb1a586f48f2319fd2b
                                  • Instruction Fuzzy Hash: B8A18F71A50205BFEB14DBA4ED4EFAE7BB9EB48711F004115FA15A72E0D770AD00CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0023AF89
                                  • GetDriveTypeW.KERNEL32(?,0025FAC0,?,\\.\,0025F910), ref: 0023B066
                                  • SetErrorMode.KERNEL32(00000000,0025FAC0,?,\\.\,0025F910), ref: 0023B1C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DriveType
                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                  • API String ID: 2907320926-4222207086
                                  • Opcode ID: 8ae036c8398a5e5b20d4cefb3e364ea860700a6f90b95a81e32f44e652f50269
                                  • Instruction ID: e6e2eb03f94d02308c27d67fe0e3734183366dbf3302bf95ff99b01325ae9c8d
                                  • Opcode Fuzzy Hash: 8ae036c8398a5e5b20d4cefb3e364ea860700a6f90b95a81e32f44e652f50269
                                  • Instruction Fuzzy Hash: AF51E6B46B1306ABDB05EF10C99297DB3B0AB19341F204017E64EA72D0DBB59D31DB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                  • API String ID: 1038674560-86951937
                                  • Opcode ID: 4039b23fdd0d60c5708835969467300dae94f2705c51d32cc0e2442fab127658
                                  • Instruction ID: 9d294add157570297231256171ee4e554d85ed153638bac3de88245bc9b4f35c
                                  • Opcode Fuzzy Hash: 4039b23fdd0d60c5708835969467300dae94f2705c51d32cc0e2442fab127658
                                  • Instruction Fuzzy Hash: 288108B0750715BACF24AF60CD82FBE7758AF25700F044026FD46AB2D2EB70DAA5C691
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(00000012), ref: 0025AB99
                                  • SetTextColor.GDI32(?,?), ref: 0025AB9D
                                  • GetSysColorBrush.USER32(0000000F), ref: 0025ABB3
                                  • GetSysColor.USER32(0000000F), ref: 0025ABBE
                                  • CreateSolidBrush.GDI32(?), ref: 0025ABC3
                                  • GetSysColor.USER32(00000011), ref: 0025ABDB
                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0025ABE9
                                  • SelectObject.GDI32(?,00000000), ref: 0025ABFA
                                  • SetBkColor.GDI32(?,00000000), ref: 0025AC03
                                  • SelectObject.GDI32(?,?), ref: 0025AC10
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0025AC2F
                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0025AC46
                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0025AC5B
                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0025ACA7
                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0025ACCE
                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 0025ACEC
                                  • DrawFocusRect.USER32(?,?), ref: 0025ACF7
                                  • GetSysColor.USER32(00000011), ref: 0025AD05
                                  • SetTextColor.GDI32(?,00000000), ref: 0025AD0D
                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0025AD21
                                  • SelectObject.GDI32(?,0025A869), ref: 0025AD38
                                  • DeleteObject.GDI32(?), ref: 0025AD43
                                  • SelectObject.GDI32(?,?), ref: 0025AD49
                                  • DeleteObject.GDI32(?), ref: 0025AD4E
                                  • SetTextColor.GDI32(?,?), ref: 0025AD54
                                  • SetBkColor.GDI32(?,?), ref: 0025AD5E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                  • String ID:
                                  • API String ID: 1996641542-0
                                  • Opcode ID: 0d8107a81202d12906b948dbfc17f2f6380f2116dba5a7dcd5d6ae7e6f41de8a
                                  • Instruction ID: 3dd1eacd24abfd14c5923281bd65e2b554c310f8ab4699f51c6ec04bdd8db485
                                  • Opcode Fuzzy Hash: 0d8107a81202d12906b948dbfc17f2f6380f2116dba5a7dcd5d6ae7e6f41de8a
                                  • Instruction Fuzzy Hash: E8618E71900209EFDF119FA8ED49EAE7B79FB08322F108225F915AB2A1D7719D40CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00258C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00258D34
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00258D45
                                  • CharNextW.USER32(0000014E), ref: 00258D74
                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00258DB5
                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00258DCB
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00258DDC
                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00258DF9
                                  • SetWindowTextW.USER32(?,0000014E), ref: 00258E45
                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00258E5B
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00258E8C
                                  • _memset.LIBCMT ref: 00258EB1
                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00258EFA
                                  • _memset.LIBCMT ref: 00258F59
                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00258F83
                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00258FDB
                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00259088
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 002590AA
                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002590F4
                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00259121
                                  • DrawMenuBar.USER32(?), ref: 00259130
                                  • SetWindowTextW.USER32(?,0000014E), ref: 00259158
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                  • String ID: 0
                                  • API String ID: 1073566785-4108050209
                                  • Opcode ID: d9a933e63255a52c29e1db979889ec43814b2414f93b59e7245abb6a719173f8
                                  • Instruction ID: 76d7bf2f9f4155ae0b13b8c0d4213e5c3d9754348fae55968235162387effef7
                                  • Opcode Fuzzy Hash: d9a933e63255a52c29e1db979889ec43814b2414f93b59e7245abb6a719173f8
                                  • Instruction Fuzzy Hash: 08E1B770911219EBDF109F60CC88EFE7BB9EF05711F108156FD19AA191DBB08999CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00254B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 00254C51
                                  • GetDesktopWindow.USER32 ref: 00254C66
                                  • GetWindowRect.USER32(00000000), ref: 00254C6D
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00254CCF
                                  • DestroyWindow.USER32(?), ref: 00254CFB
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00254D24
                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00254D42
                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00254D68
                                  • SendMessageW.USER32(?,00000421,?,?), ref: 00254D7D
                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00254D90
                                  • IsWindowVisible.USER32(?), ref: 00254DB0
                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00254DCB
                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00254DDF
                                  • GetWindowRect.USER32(?,?), ref: 00254DF7
                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00254E1D
                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00254E37
                                  • CopyRect.USER32(?,?), ref: 00254E4E
                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00254EB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                  • String ID: ($0$tooltips_class32
                                  • API String ID: 698492251-4156429822
                                  • Opcode ID: dd2b2d7f3e721f5e3bf9f4e579e898d44f60d6a8b8995b1589a81e39c640d922
                                  • Instruction ID: 58d8b839c76f7cc0501a1d33fcfd513da9e9829f080fe77100dbb3352da44dd1
                                  • Opcode Fuzzy Hash: dd2b2d7f3e721f5e3bf9f4e579e898d44f60d6a8b8995b1589a81e39c640d922
                                  • Instruction Fuzzy Hash: B9B1BC70614301AFDB04EF24C949B6AFBE4BF84315F00891DF9999B2A1D770EC58CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002346D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 002346E8
                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0023470E
                                  • _wcscpy.LIBCMT ref: 0023473C
                                  • _wcscmp.LIBCMT ref: 00234747
                                  • _wcscat.LIBCMT ref: 0023475D
                                  • _wcsstr.LIBCMT ref: 00234768
                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00234784
                                  • _wcscat.LIBCMT ref: 002347CD
                                  • _wcscat.LIBCMT ref: 002347D4
                                  • _wcsncpy.LIBCMT ref: 002347FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                  • API String ID: 699586101-1459072770
                                  • Opcode ID: 78938f0a3a3be1e5d15a899575aca7f4b2688b312b29679c85d79009b786a4f2
                                  • Instruction ID: 272c0fac5615a7d356b4f4126d50e571aa35057da984e2f600f831bf42f1824d
                                  • Opcode Fuzzy Hash: 78938f0a3a3be1e5d15a899575aca7f4b2688b312b29679c85d79009b786a4f2
                                  • Instruction Fuzzy Hash: D34128B1620209BBEB10BB649C47EBF776CDF16710F14016AFE04E7182EF74AA1197A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001D28BC
                                  • GetSystemMetrics.USER32(00000007), ref: 001D28C4
                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001D28EF
                                  • GetSystemMetrics.USER32(00000008), ref: 001D28F7
                                  • GetSystemMetrics.USER32(00000004), ref: 001D291C
                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001D2939
                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001D2949
                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001D297C
                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001D2990
                                  • GetClientRect.USER32(00000000,000000FF), ref: 001D29AE
                                  • GetStockObject.GDI32(00000011), ref: 001D29CA
                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 001D29D5
                                    • Part of subcall function 001D2344: GetCursorPos.USER32(?), ref: 001D2357
                                    • Part of subcall function 001D2344: ScreenToClient.USER32(002967B0,?), ref: 001D2374
                                    • Part of subcall function 001D2344: GetAsyncKeyState.USER32(00000001), ref: 001D2399
                                    • Part of subcall function 001D2344: GetAsyncKeyState.USER32(00000002), ref: 001D23A7
                                  • SetTimer.USER32(00000000,00000000,00000028,001D1256), ref: 001D29FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                  • String ID: AutoIt v3 GUI
                                  • API String ID: 1458621304-248962490
                                  • Opcode ID: e959b2aa403bd7dc752b642768dbc7577c23bdd4c6e0493e428b91b08c4adceb
                                  • Instruction ID: d8e5da51b829882debae810d1548738056aeb046c716fb90ec21a4d18dcb0868
                                  • Opcode Fuzzy Hash: e959b2aa403bd7dc752b642768dbc7577c23bdd4c6e0493e428b91b08c4adceb
                                  • Instruction Fuzzy Hash: E6B17071A1030AEFDB14DFA8DD49BAE7BB4FB18311F10822AFA25972D0DB749851CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00254069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperBuffW.USER32(?,?), ref: 002540F6
                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002541B6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BuffCharMessageSendUpper
                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                  • API String ID: 3974292440-719923060
                                  • Opcode ID: 99d52710d47dd0d68e0db4fee2d1c8ee85071982dfdb42336b6ab2397333ce76
                                  • Instruction ID: 33fceae5e5ca33b6392fa7546cbddf97144c6b8aa426bf986b185b6a9c46da57
                                  • Opcode Fuzzy Hash: 99d52710d47dd0d68e0db4fee2d1c8ee85071982dfdb42336b6ab2397333ce76
                                  • Instruction Fuzzy Hash: A1A1A030234316ABCB14FF60C851A7AB3A5AF94319F10486DBC969B7E2DB30EC59CB45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002452F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00245309
                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00245314
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0024531F
                                  • LoadCursorW.USER32(00000000,00007F03), ref: 0024532A
                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00245335
                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00245340
                                  • LoadCursorW.USER32(00000000,00007F81), ref: 0024534B
                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00245356
                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00245361
                                  • LoadCursorW.USER32(00000000,00007F86), ref: 0024536C
                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00245377
                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00245382
                                  • LoadCursorW.USER32(00000000,00007F82), ref: 0024538D
                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00245398
                                  • LoadCursorW.USER32(00000000,00007F04), ref: 002453A3
                                  • LoadCursorW.USER32(00000000,00007F02), ref: 002453AE
                                  • GetCursorInfo.USER32(?), ref: 002453BE
                                  • GetLastError.KERNEL32(00000001,00000000), ref: 002453E9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Cursor$Load$ErrorInfoLast
                                  • String ID:
                                  • API String ID: 3215588206-0
                                  • Opcode ID: 1afc658c5aa07961f90cdfbbd59396a8772ed646d8c05f9aedc1a62314bea87f
                                  • Instruction ID: f3321dde880c2e17a9a533bf627f0dadba7ebd6afbadaab772e1463f729ac9f8
                                  • Opcode Fuzzy Hash: 1afc658c5aa07961f90cdfbbd59396a8772ed646d8c05f9aedc1a62314bea87f
                                  • Instruction Fuzzy Hash: 0B417370E043296BDB109FBA8C4996FFFB8EF51B50B10452FF549EB291DAB894018E61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000100), ref: 0022AAA5
                                  • __swprintf.LIBCMT ref: 0022AB46
                                  • _wcscmp.LIBCMT ref: 0022AB59
                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0022ABAE
                                  • _wcscmp.LIBCMT ref: 0022ABEA
                                  • GetClassNameW.USER32(?,?,00000400), ref: 0022AC21
                                  • GetDlgCtrlID.USER32(?), ref: 0022AC73
                                  • GetWindowRect.USER32(?,?), ref: 0022ACA9
                                  • GetParent.USER32(?), ref: 0022ACC7
                                  • ScreenToClient.USER32(00000000), ref: 0022ACCE
                                  • GetClassNameW.USER32(?,?,00000100), ref: 0022AD48
                                  • _wcscmp.LIBCMT ref: 0022AD5C
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0022AD82
                                  • _wcscmp.LIBCMT ref: 0022AD96
                                    • Part of subcall function 001F386C: _iswctype.LIBCMT ref: 001F3874
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                  • String ID: %s%u
                                  • API String ID: 3744389584-679674701
                                  • Opcode ID: 956b72d56e9bab3b1d162d3cc43837576dba9abbf4b0724f46f94a58b506d25a
                                  • Instruction ID: b934a6560fd8ed8d0efe6c552945fb3d6419b6d7899a98457f3f44c7d7aaaa18
                                  • Opcode Fuzzy Hash: 956b72d56e9bab3b1d162d3cc43837576dba9abbf4b0724f46f94a58b506d25a
                                  • Instruction Fuzzy Hash: 00A1E171214727BFD714DFA0D884BAAB7E8FF04315F104629F9A9C2990DB30E965CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 0022B3DB
                                  • _wcscmp.LIBCMT ref: 0022B3EC
                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 0022B414
                                  • CharUpperBuffW.USER32(?,00000000), ref: 0022B431
                                  • _wcscmp.LIBCMT ref: 0022B44F
                                  • _wcsstr.LIBCMT ref: 0022B460
                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0022B498
                                  • _wcscmp.LIBCMT ref: 0022B4A8
                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 0022B4CF
                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0022B518
                                  • _wcscmp.LIBCMT ref: 0022B528
                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 0022B550
                                  • GetWindowRect.USER32(00000004,?), ref: 0022B5B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                  • String ID: @$ThumbnailClass
                                  • API String ID: 1788623398-1539354611
                                  • Opcode ID: c3b928447d4c40c1c57bd766bc65d9fd4212ba131468a906351c9fe641a8666a
                                  • Instruction ID: 5caed3e756058123c0fba475a99fd5f4411569ad70e64db1c758ad74da30a38c
                                  • Opcode Fuzzy Hash: c3b928447d4c40c1c57bd766bc65d9fd4212ba131468a906351c9fe641a8666a
                                  • Instruction Fuzzy Hash: FD81F071018316ABDB02DF90E885FBABBE8EF54314F088169FD858A092DB34DD65CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D2612: GetWindowLongW.USER32(?,000000EB), ref: 001D2623
                                  • DragQueryPoint.SHELL32(?,?), ref: 0025C917
                                    • Part of subcall function 0025ADF1: ClientToScreen.USER32(?,?), ref: 0025AE1A
                                    • Part of subcall function 0025ADF1: GetWindowRect.USER32(?,?), ref: 0025AE90
                                    • Part of subcall function 0025ADF1: PtInRect.USER32(?,?,0025C304), ref: 0025AEA0
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0025C980
                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0025C98B
                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0025C9AE
                                  • _wcscat.LIBCMT ref: 0025C9DE
                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0025C9F5
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0025CA0E
                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0025CA25
                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0025CA47
                                  • DragFinish.SHELL32(?), ref: 0025CA4E
                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0025CB41
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr)
                                  • API String ID: 169749273-2438715428
                                  • Opcode ID: 6251b4df3af0d9c2f0909f2448332491d2950764d08edca1efd7f26d61bb8acc
                                  • Instruction ID: 4e44ed990006e8518f9c34c1021d0f3d28986e67c7e3d03d8af20347d019a73e
                                  • Opcode Fuzzy Hash: 6251b4df3af0d9c2f0909f2448332491d2950764d08edca1efd7f26d61bb8acc
                                  • Instruction Fuzzy Hash: 3E617A71118301AFC701EF60DC89D9BBBE8EF99750F000A2EF591932A1EB709A59CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                  • API String ID: 1038674560-1810252412
                                  • Opcode ID: 41528de5b8cd6b9c61cbe3785ba5f0c4480849946d75a56bd3725c4dc37cf80b
                                  • Instruction ID: 13baf556b8db1300569b6f673c75c3aaa33fbc17cb9ec2c57c0c03efc2925330
                                  • Opcode Fuzzy Hash: 41528de5b8cd6b9c61cbe3785ba5f0c4480849946d75a56bd3725c4dc37cf80b
                                  • Instruction Fuzzy Hash: 7231023492432AE6DB15FAA0DD43EFEB7A89F21710F240116B812720D1FF516E64C650
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadIconW.USER32(00000063), ref: 0022C4D4
                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0022C4E6
                                  • SetWindowTextW.USER32(?,?), ref: 0022C4FD
                                  • GetDlgItem.USER32(?,000003EA), ref: 0022C512
                                  • SetWindowTextW.USER32(00000000,?), ref: 0022C518
                                  • GetDlgItem.USER32(?,000003E9), ref: 0022C528
                                  • SetWindowTextW.USER32(00000000,?), ref: 0022C52E
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0022C54F
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0022C569
                                  • GetWindowRect.USER32(?,?), ref: 0022C572
                                  • SetWindowTextW.USER32(?,?), ref: 0022C5DD
                                  • GetDesktopWindow.USER32 ref: 0022C5E3
                                  • GetWindowRect.USER32(00000000), ref: 0022C5EA
                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0022C636
                                  • GetClientRect.USER32(?,?), ref: 0022C643
                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0022C668
                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0022C693
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                  • String ID:
                                  • API String ID: 3869813825-0
                                  • Opcode ID: 499df4b80afaa06eddcff9749045a18cacc40c445d418c3fee3bec2f45bda627
                                  • Instruction ID: dc8113d106f947b5c2a0bade41032e1a3ef898a1e688e355beaced324cb185b1
                                  • Opcode Fuzzy Hash: 499df4b80afaa06eddcff9749045a18cacc40c445d418c3fee3bec2f45bda627
                                  • Instruction Fuzzy Hash: 56516F70900709AFDB209FA8EE89B6FBBF9FF04705F104528E656A25A0C775E924CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0025A4C8
                                  • DestroyWindow.USER32(?,?), ref: 0025A542
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0025A5BC
                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0025A5DE
                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0025A5F1
                                  • DestroyWindow.USER32(00000000), ref: 0025A613
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001D0000,00000000), ref: 0025A64A
                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0025A663
                                  • GetDesktopWindow.USER32 ref: 0025A67C
                                  • GetWindowRect.USER32(00000000), ref: 0025A683
                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0025A69B
                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0025A6B3
                                    • Part of subcall function 001D25DB: GetWindowLongW.USER32(?,000000EB), ref: 001D25EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                  • String ID: 0$tooltips_class32
                                  • API String ID: 1297703922-3619404913
                                  • Opcode ID: b752d3ea040e01408b72577fdf1964bca9b236792d96b1c259cb133a4d30fbef
                                  • Instruction ID: 69e22ba5c10a7798840443b0fea382eb5fc334f096a11f48383a5d8cf4d58f03
                                  • Opcode Fuzzy Hash: b752d3ea040e01408b72577fdf1964bca9b236792d96b1c259cb133a4d30fbef
                                  • Instruction Fuzzy Hash: E771AF75150306AFDB20DF28DC4AF667BE9FB98301F08462DF995872A0D770E919CB1A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00254619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperBuffW.USER32(?,?), ref: 002546AB
                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002546F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BuffCharMessageSendUpper
                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                  • API String ID: 3974292440-4258414348
                                  • Opcode ID: 8e7d9b20e687ce6e33b942eb653d50f76fd1b5e59f18c0a7cdaab8d7ac920636
                                  • Instruction ID: f10a7ecc9c76d836aa9eb952f28a3764ed4fade2d22adaffd13dcb785811d080
                                  • Opcode Fuzzy Hash: 8e7d9b20e687ce6e33b942eb653d50f76fd1b5e59f18c0a7cdaab8d7ac920636
                                  • Instruction Fuzzy Hash: 27918E342243129BCB14FF50C851A6AF7A1AF99318F00485DFC965B7A3CB70ED6ACB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0025BB6E
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00259431), ref: 0025BBCA
                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0025BC03
                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0025BC46
                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0025BC7D
                                  • FreeLibrary.KERNEL32(?), ref: 0025BC89
                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0025BC99
                                  • DestroyIcon.USER32(?,?,?,?,?,00259431), ref: 0025BCA8
                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0025BCC5
                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0025BCD1
                                    • Part of subcall function 001F313D: __wcsicmp_l.LIBCMT ref: 001F31C6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                  • String ID: .dll$.exe$.icl
                                  • API String ID: 1212759294-1154884017
                                  • Opcode ID: d499cbaabc3a23172722eb3410af227d792451c34441f61e7313c9f080a7f1c5
                                  • Instruction ID: cc7f5eb0fccd6a36a333b69c1998bbc6a00a57a064279f8f4bf837a401d9a134
                                  • Opcode Fuzzy Hash: d499cbaabc3a23172722eb3410af227d792451c34441f61e7313c9f080a7f1c5
                                  • Instruction Fuzzy Hash: 1761017191021ABEEB15DF64DC45FBE77A8EB08712F10411AFD15D61C0DBB0AAA4CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(00000066,?,00000FFF,0025FB78), ref: 0023A0FC
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                  • LoadStringW.USER32(?,?,00000FFF,?), ref: 0023A11E
                                  • __swprintf.LIBCMT ref: 0023A177
                                  • __swprintf.LIBCMT ref: 0023A190
                                  • _wprintf.LIBCMT ref: 0023A246
                                  • _wprintf.LIBCMT ref: 0023A264
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: LoadString__swprintf_wprintf$_memmove
                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%&
                                  • API String ID: 311963372-3083762496
                                  • Opcode ID: 5c6837199191f69acbcf3914fab332364df3a313b37caa378388954d5ca28460
                                  • Instruction ID: dfa286e92b528b16c441966da6c4230f146e1415eac0fe1bd18c217849e51de8
                                  • Opcode Fuzzy Hash: 5c6837199191f69acbcf3914fab332364df3a313b37caa378388954d5ca28460
                                  • Instruction Fuzzy Hash: 4D518F7190021ABACF15EBE0DD86EEEB779AF14300F100166F915721E1EB316F68DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D9997: __itow.LIBCMT ref: 001D99C2
                                    • Part of subcall function 001D9997: __swprintf.LIBCMT ref: 001D9A0C
                                  • CharLowerBuffW.USER32(?,?), ref: 0023A636
                                  • GetDriveTypeW.KERNEL32 ref: 0023A683
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0023A6CB
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0023A702
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0023A730
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                  • API String ID: 2698844021-4113822522
                                  • Opcode ID: 0212739a9b436eef5ef12ec1eef9b5581a73f990aa7f29586552d33b58a8b2e2
                                  • Instruction ID: ab0b6de0bf43408986f8e0a578890d3a7f661abf08e69a6c0edd2a2498b968ad
                                  • Opcode Fuzzy Hash: 0212739a9b436eef5ef12ec1eef9b5581a73f990aa7f29586552d33b58a8b2e2
                                  • Instruction Fuzzy Hash: CD5159751143159FC704EF20C98196AB7F8FFA8718F04496EF896573A1EB31AE0ACB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0023A47A
                                  • __swprintf.LIBCMT ref: 0023A49C
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0023A4D9
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0023A4FE
                                  • _memset.LIBCMT ref: 0023A51D
                                  • _wcsncpy.LIBCMT ref: 0023A559
                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0023A58E
                                  • CloseHandle.KERNEL32(00000000), ref: 0023A599
                                  • RemoveDirectoryW.KERNEL32(?), ref: 0023A5A2
                                  • CloseHandle.KERNEL32(00000000), ref: 0023A5AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                  • String ID: :$\$\??\%s
                                  • API String ID: 2733774712-3457252023
                                  • Opcode ID: 8da0daa95e108bbe636419885f0f5b72ad34409cca70e65846d3a4fc573db62b
                                  • Instruction ID: cbbd84f83f32900af8202021536fa62632568921b672c2e46d383ea6db080caa
                                  • Opcode Fuzzy Hash: 8da0daa95e108bbe636419885f0f5b72ad34409cca70e65846d3a4fc573db62b
                                  • Instruction Fuzzy Hash: 6C31C3B591020AABDB21DFA0DC48FEB33BCEF88701F1041B6FA08D6160EB7097548B25
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D2612: GetWindowLongW.USER32(?,000000EB), ref: 001D2623
                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0025C4EC
                                  • GetFocus.USER32 ref: 0025C4FC
                                  • GetDlgCtrlID.USER32(00000000), ref: 0025C507
                                  • _memset.LIBCMT ref: 0025C632
                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0025C65D
                                  • GetMenuItemCount.USER32(?), ref: 0025C67D
                                  • GetMenuItemID.USER32(?,00000000), ref: 0025C690
                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0025C6C4
                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0025C70C
                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0025C744
                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0025C779
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                  • String ID: 0
                                  • API String ID: 1296962147-4108050209
                                  • Opcode ID: 3705a0eadbd31d4f32028fe06078ac19bd7b90b1193cf66d6e530e6cf2362d1c
                                  • Instruction ID: 4d419fb028bc77a1c123931dd61af289530091d1cd59b8592f62d96b91ceef4c
                                  • Opcode Fuzzy Hash: 3705a0eadbd31d4f32028fe06078ac19bd7b90b1193cf66d6e530e6cf2362d1c
                                  • Instruction Fuzzy Hash: A0819F702183029FD710CF24D988A6BBBE8FB88356F20052EFD9597291E770D919CF96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002283F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0022874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00228766
                                    • Part of subcall function 0022874A: GetLastError.KERNEL32(?,0022822A,?,?,?), ref: 00228770
                                    • Part of subcall function 0022874A: GetProcessHeap.KERNEL32(00000008,?,?,0022822A,?,?,?), ref: 0022877F
                                    • Part of subcall function 0022874A: HeapAlloc.KERNEL32(00000000,?,0022822A,?,?,?), ref: 00228786
                                    • Part of subcall function 0022874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0022879D
                                    • Part of subcall function 002287E7: GetProcessHeap.KERNEL32(00000008,00228240,00000000,00000000,?,00228240,?), ref: 002287F3
                                    • Part of subcall function 002287E7: HeapAlloc.KERNEL32(00000000,?,00228240,?), ref: 002287FA
                                    • Part of subcall function 002287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00228240,?), ref: 0022880B
                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00228458
                                  • _memset.LIBCMT ref: 0022846D
                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0022848C
                                  • GetLengthSid.ADVAPI32(?), ref: 0022849D
                                  • GetAce.ADVAPI32(?,00000000,?), ref: 002284DA
                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002284F6
                                  • GetLengthSid.ADVAPI32(?), ref: 00228513
                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00228522
                                  • HeapAlloc.KERNEL32(00000000), ref: 00228529
                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0022854A
                                  • CopySid.ADVAPI32(00000000), ref: 00228551
                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00228582
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002285A8
                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002285BC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                  • String ID:
                                  • API String ID: 3996160137-0
                                  • Opcode ID: 75b9e53ed33fc253df3a1c2f69cdc947f4e56c40bddd4044c6ff42e9443b5ac6
                                  • Instruction ID: b835920f8f33dc160e69c776861d228a680dd0b461ea2473cead6171db13232d
                                  • Opcode Fuzzy Hash: 75b9e53ed33fc253df3a1c2f69cdc947f4e56c40bddd4044c6ff42e9443b5ac6
                                  • Instruction Fuzzy Hash: D5615A7191121ABBDF00DFA0ED48AAEBBB9FF04301F448129F915A7291DB34DA24CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDC.USER32(00000000), ref: 002476A2
                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002476AE
                                  • CreateCompatibleDC.GDI32(?), ref: 002476BA
                                  • SelectObject.GDI32(00000000,?), ref: 002476C7
                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0024771B
                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00247757
                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0024777B
                                  • SelectObject.GDI32(00000006,?), ref: 00247783
                                  • DeleteObject.GDI32(?), ref: 0024778C
                                  • DeleteDC.GDI32(00000006), ref: 00247793
                                  • ReleaseDC.USER32(00000000,?), ref: 0024779E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                  • String ID: (
                                  • API String ID: 2598888154-3887548279
                                  • Opcode ID: 775189db882ad80d1702ac614ecfd6df046a97c4f33686bb1619e3f2d9cba4f2
                                  • Instruction ID: a48d724e0121d6a768b29e1adcb3732a9ef889306203d57ff3e671ccb9a81080
                                  • Opcode Fuzzy Hash: 775189db882ad80d1702ac614ecfd6df046a97c4f33686bb1619e3f2d9cba4f2
                                  • Instruction Fuzzy Hash: 0C516975914309EFCB15CFA8DC88EAEBBB9EF48710F14842DF95AA7250D731A850CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001F0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,001D6C6C,?,00008000), ref: 001F0BB7
                                    • Part of subcall function 001D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001D48A1,?,?,001D37C0,?), ref: 001D48CE
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 001D6D0D
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 001D6E5A
                                    • Part of subcall function 001D59CD: _wcscpy.LIBCMT ref: 001D5A05
                                    • Part of subcall function 001F387D: _iswctype.LIBCMT ref: 001F3885
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                  • API String ID: 537147316-1018226102
                                  • Opcode ID: 524810b396620419a1aa2b9a050d1ef2a9e70f0c4216d0c5a72ca0c9c0efbc87
                                  • Instruction ID: 290198d58cc15062d2e4ea277ef209117dab9124ed814a3e66ddbd956a7be6de
                                  • Opcode Fuzzy Hash: 524810b396620419a1aa2b9a050d1ef2a9e70f0c4216d0c5a72ca0c9c0efbc87
                                  • Instruction Fuzzy Hash: DB02BE711183419FCB24EF24C881AAFBBE5BFA9314F140D1EF486972A2DB30D959CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 001D45F9
                                  • GetMenuItemCount.USER32(00296890), ref: 0020D7CD
                                  • GetMenuItemCount.USER32(00296890), ref: 0020D87D
                                  • GetCursorPos.USER32(?), ref: 0020D8C1
                                  • SetForegroundWindow.USER32(00000000), ref: 0020D8CA
                                  • TrackPopupMenuEx.USER32(00296890,00000000,?,00000000,00000000,00000000), ref: 0020D8DD
                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0020D8E9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                  • String ID:
                                  • API String ID: 2751501086-0
                                  • Opcode ID: 7dcc607850e654f96cc13fa80662dd3b70ac4f6205924b7a07781a687a9943aa
                                  • Instruction ID: 4502d81f8aaf9ffe17a90b5e25b0e76e58e2ee0d9428c72f8d6484d2c40902d1
                                  • Opcode Fuzzy Hash: 7dcc607850e654f96cc13fa80662dd3b70ac4f6205924b7a07781a687a9943aa
                                  • Instruction Fuzzy Hash: F9710770651306BFEB209F54DC89FAAFF68FF05364F204216F515A61E2D7B1A820DB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00248BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 00248BEC
                                  • CoInitialize.OLE32(00000000), ref: 00248C19
                                  • CoUninitialize.OLE32 ref: 00248C23
                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00248D23
                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00248E50
                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00262C0C), ref: 00248E84
                                  • CoGetObject.OLE32(?,00000000,00262C0C,?), ref: 00248EA7
                                  • SetErrorMode.KERNEL32(00000000), ref: 00248EBA
                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00248F3A
                                  • VariantClear.OLEAUT32(?), ref: 00248F4A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                  • String ID: ,,&
                                  • API String ID: 2395222682-623544517
                                  • Opcode ID: 6ebe9975cd0ad52d0bc0fb3b80774cec1f0d86c5faca3c5bbd2a193dc3d68e1d
                                  • Instruction ID: 0effbaced7d03f54950bc063077cb97da31bd6f4cdcbad779de2b83915df12e7
                                  • Opcode Fuzzy Hash: 6ebe9975cd0ad52d0bc0fb3b80774cec1f0d86c5faca3c5bbd2a193dc3d68e1d
                                  • Instruction Fuzzy Hash: E7C14371628305AFD704EF64C88492BB7E9FF89748F00492DF98A9B250DB71ED15CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002510A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00250038,?,?), ref: 002510BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BuffCharUpper
                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                  • API String ID: 3964851224-909552448
                                  • Opcode ID: 4ea0faf55b56aa648d70c1c43d199f46b52ed6eb552c76dfc5de75f65872776b
                                  • Instruction ID: 248eebf96e9cf00d731ec13e96d6a0965d7ba24f13e35c5e3a69028116e6bc69
                                  • Opcode Fuzzy Hash: 4ea0faf55b56aa648d70c1c43d199f46b52ed6eb552c76dfc5de75f65872776b
                                  • Instruction Fuzzy Hash: D3418B3016125F8BCF21EF90D895AEA3724AF26311F104459EDA59B292DB70AD3ACB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00235569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                    • Part of subcall function 001D7A84: _memmove.LIBCMT ref: 001D7B0D
                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002355D2
                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002355E8
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002355F9
                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0023560B
                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0023561C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: SendString$_memmove
                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                  • API String ID: 2279737902-1007645807
                                  • Opcode ID: ee32ea1e07c200258fde639acb0d4ff801fd654148ace92688ba470fc333341a
                                  • Instruction ID: e365b1970bb56bdd288a38b806560dd280fe3708ebaf3266581881190440d2b3
                                  • Opcode Fuzzy Hash: ee32ea1e07c200258fde639acb0d4ff801fd654148ace92688ba470fc333341a
                                  • Instruction Fuzzy Hash: D411986497156A79E720B661CC8ADFF7B7CEFA6B00F40046BB405931D1EF601E15CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002348F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                  • String ID: 0.0.0.0
                                  • API String ID: 208665112-3771769585
                                  • Opcode ID: d817184f97de45902e7b60670620f627313a9c0368bd815f7cde472e9a80bb21
                                  • Instruction ID: fb2e24c09cbf7af8afe2b1b9efd82362aabad8d852f535a3e97a79a85fcff613
                                  • Opcode Fuzzy Hash: d817184f97de45902e7b60670620f627313a9c0368bd815f7cde472e9a80bb21
                                  • Instruction Fuzzy Hash: F5112771924219ABCB20FB20ED0AFEB77BCDF01721F0001B6F504960A1EF70AA918691
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00235217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • timeGetTime.WINMM ref: 0023521C
                                    • Part of subcall function 001F0719: timeGetTime.WINMM(?,7707B400,001E0FF9), ref: 001F071D
                                  • Sleep.KERNEL32(0000000A), ref: 00235248
                                  • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0023526C
                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0023528E
                                  • SetActiveWindow.USER32 ref: 002352AD
                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002352BB
                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 002352DA
                                  • Sleep.KERNEL32(000000FA), ref: 002352E5
                                  • IsWindow.USER32 ref: 002352F1
                                  • EndDialog.USER32(00000000), ref: 00235302
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                  • String ID: BUTTON
                                  • API String ID: 1194449130-3405671355
                                  • Opcode ID: 5691c1abb180467b6354401bdd557fe291eb31faf7da1c7235ec724978d4467e
                                  • Instruction ID: d56070c674ef0579e3bbd8f1bd6e4f347e0727d7edd33feca373455570027fd6
                                  • Opcode Fuzzy Hash: 5691c1abb180467b6354401bdd557fe291eb31faf7da1c7235ec724978d4467e
                                  • Instruction Fuzzy Hash: 5721C3B0224705AFE7415F30FE8CB263B69EB46347F410469F80A821B1DB71DD248B25
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D9997: __itow.LIBCMT ref: 001D99C2
                                    • Part of subcall function 001D9997: __swprintf.LIBCMT ref: 001D9A0C
                                  • CoInitialize.OLE32(00000000), ref: 0023D855
                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0023D8E8
                                  • SHGetDesktopFolder.SHELL32(?), ref: 0023D8FC
                                  • CoCreateInstance.OLE32(00262D7C,00000000,00000001,0028A89C,?), ref: 0023D948
                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0023D9B7
                                  • CoTaskMemFree.OLE32(?,?), ref: 0023DA0F
                                  • _memset.LIBCMT ref: 0023DA4C
                                  • SHBrowseForFolderW.SHELL32(?), ref: 0023DA88
                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0023DAAB
                                  • CoTaskMemFree.OLE32(00000000), ref: 0023DAB2
                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0023DAE9
                                  • CoUninitialize.OLE32(00000001,00000000), ref: 0023DAEB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                  • String ID:
                                  • API String ID: 1246142700-0
                                  • Opcode ID: e518de1f21d79765aed1a77f5e57b4aa43cfce419e1ccafe1b3b5a82198b9312
                                  • Instruction ID: 9a7ede5f017caa39ac4635233f6fb5dab2afb534c703c7ff526cb1f0251ef726
                                  • Opcode Fuzzy Hash: e518de1f21d79765aed1a77f5e57b4aa43cfce419e1ccafe1b3b5a82198b9312
                                  • Instruction Fuzzy Hash: F8B1FA75A10209AFDB04DFA4D988EAEBBB9FF48304F148469F909EB251DB31ED45CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 002305A7
                                  • SetKeyboardState.USER32(?), ref: 00230612
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00230632
                                  • GetKeyState.USER32(000000A0), ref: 00230649
                                  • GetAsyncKeyState.USER32(000000A1), ref: 00230678
                                  • GetKeyState.USER32(000000A1), ref: 00230689
                                  • GetAsyncKeyState.USER32(00000011), ref: 002306B5
                                  • GetKeyState.USER32(00000011), ref: 002306C3
                                  • GetAsyncKeyState.USER32(00000012), ref: 002306EC
                                  • GetKeyState.USER32(00000012), ref: 002306FA
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00230723
                                  • GetKeyState.USER32(0000005B), ref: 00230731
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: 76194147b315e4145cca7bbf00131ebfcc84225ad12e896f3b3a785530486ccf
                                  • Instruction ID: c5298661316b28fc70fe9726159d0ddf89bd2668e8a7149ca4748f792840a949
                                  • Opcode Fuzzy Hash: 76194147b315e4145cca7bbf00131ebfcc84225ad12e896f3b3a785530486ccf
                                  • Instruction Fuzzy Hash: EA511BA0A1478919FB34DFB088A57EABFB49F01380F484599C5C2561C2DA64EB6CCF75
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,00000001), ref: 0022C746
                                  • GetWindowRect.USER32(00000000,?), ref: 0022C758
                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0022C7B6
                                  • GetDlgItem.USER32(?,00000002), ref: 0022C7C1
                                  • GetWindowRect.USER32(00000000,?), ref: 0022C7D3
                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0022C827
                                  • GetDlgItem.USER32(?,000003E9), ref: 0022C835
                                  • GetWindowRect.USER32(00000000,?), ref: 0022C846
                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0022C889
                                  • GetDlgItem.USER32(?,000003EA), ref: 0022C897
                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0022C8B4
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0022C8C1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$ItemMoveRect$Invalidate
                                  • String ID:
                                  • API String ID: 3096461208-0
                                  • Opcode ID: 175365ee34484e781f883df629a2468f279573f6883320cbcdcda1a4099b3efe
                                  • Instruction ID: 464688f753fbd43d0d8ac60ec720798006583a0c6cdbc3007a163dde1317ad7a
                                  • Opcode Fuzzy Hash: 175365ee34484e781f883df629a2468f279573f6883320cbcdcda1a4099b3efe
                                  • Instruction Fuzzy Hash: 71512F71B10205BFDB18CFA9ED99AAEBBBAEB88311F24813DF515D7290D7709D008B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001D2036,?,00000000,?,?,?,?,001D16CB,00000000,?), ref: 001D1B9A
                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 001D20D3
                                  • KillTimer.USER32(-00000001,?,?,?,?,001D16CB,00000000,?,?,001D1AE2,?,?), ref: 001D216E
                                  • DestroyAcceleratorTable.USER32(00000000), ref: 0020BEF6
                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001D16CB,00000000,?,?,001D1AE2,?,?), ref: 0020BF27
                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001D16CB,00000000,?,?,001D1AE2,?,?), ref: 0020BF3E
                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001D16CB,00000000,?,?,001D1AE2,?,?), ref: 0020BF5A
                                  • DeleteObject.GDI32(00000000), ref: 0020BF6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                  • String ID:
                                  • API String ID: 641708696-0
                                  • Opcode ID: b54c3276473c041702d475b136e35c6825c9aa5a3fd0af5a44aa6f01de05d333
                                  • Instruction ID: 07d348edbbd3a72dd6c6d4ecd60dda87f99a20a7ffbddfeb19d003640a944cf6
                                  • Opcode Fuzzy Hash: b54c3276473c041702d475b136e35c6825c9aa5a3fd0af5a44aa6f01de05d333
                                  • Instruction Fuzzy Hash: 59618831110712DFCB3AAF14ED4CB2AB7F1FB60312F15852AE56287AA1C775A894DF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D25DB: GetWindowLongW.USER32(?,000000EB), ref: 001D25EC
                                  • GetSysColor.USER32(0000000F), ref: 001D21D3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ColorLongWindow
                                  • String ID:
                                  • API String ID: 259745315-0
                                  • Opcode ID: 731a22494a6589f7288fb7d0a6eab7e34e584fc50fade3ab14a0301cfad2d6f8
                                  • Instruction ID: 3e6c7d0df44ff561a31953c9cfac450eb961e9e3b7cf81acee0ba43529231fc4
                                  • Opcode Fuzzy Hash: 731a22494a6589f7288fb7d0a6eab7e34e584fc50fade3ab14a0301cfad2d6f8
                                  • Instruction Fuzzy Hash: 1E4163311046409FDF255F68EC88BB93B66EB26331F244366FD758A2E6C7318C42DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharLowerBuffW.USER32(?,?,0025F910), ref: 0023AB76
                                  • GetDriveTypeW.KERNEL32(00000061,0028A620,00000061), ref: 0023AC40
                                  • _wcscpy.LIBCMT ref: 0023AC6A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BuffCharDriveLowerType_wcscpy
                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                  • API String ID: 2820617543-1000479233
                                  • Opcode ID: bc6694d921b1a7f555fd59e5158582f4fe30b8aeb4138f381d0fa912889cbc77
                                  • Instruction ID: 21af83b85df96b28d7abc13cb81eac90f1c143fabd8200ef6a60b7ec08841d9a
                                  • Opcode Fuzzy Hash: bc6694d921b1a7f555fd59e5158582f4fe30b8aeb4138f381d0fa912889cbc77
                                  • Instruction Fuzzy Hash: 0F51BD711283069BC720EF14C881AAEB7A6EFA5314F50482EF4D6572E2DB31DD5ACB53
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D2612: GetWindowLongW.USER32(?,000000EB), ref: 001D2623
                                    • Part of subcall function 001D2344: GetCursorPos.USER32(?), ref: 001D2357
                                    • Part of subcall function 001D2344: ScreenToClient.USER32(002967B0,?), ref: 001D2374
                                    • Part of subcall function 001D2344: GetAsyncKeyState.USER32(00000001), ref: 001D2399
                                    • Part of subcall function 001D2344: GetAsyncKeyState.USER32(00000002), ref: 001D23A7
                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0025C2E4
                                  • ImageList_EndDrag.COMCTL32 ref: 0025C2EA
                                  • ReleaseCapture.USER32 ref: 0025C2F0
                                  • SetWindowTextW.USER32(?,00000000), ref: 0025C39A
                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0025C3AD
                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0025C48F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID$pr)$pr)
                                  • API String ID: 1924731296-1076060646
                                  • Opcode ID: 4314e94ff45f759b9ae4c13b7d2fa27bff6242707aee0fda08c812e8049c2b99
                                  • Instruction ID: 3e0d3693b69a3bae5c75bb76527724d8c6b2cccf5d459f8d782916c772670478
                                  • Opcode Fuzzy Hash: 4314e94ff45f759b9ae4c13b7d2fa27bff6242707aee0fda08c812e8049c2b99
                                  • Instruction Fuzzy Hash: 9F51BE70214305AFDB00EF20DC99F6A7BE5FB98311F10452EF9918B2E1DB71A958CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __i64tow__itow__swprintf
                                  • String ID: %.15g$0x%p$False$True
                                  • API String ID: 421087845-2263619337
                                  • Opcode ID: a1ad96f421cf5872fded48ad3153988eefedcd99f731a9c6f2a29047e473d3db
                                  • Instruction ID: 9a33efdc3a4437397b1762fc816e52f4b8f13bf5a4b82875468dbe54680ef439
                                  • Opcode Fuzzy Hash: a1ad96f421cf5872fded48ad3153988eefedcd99f731a9c6f2a29047e473d3db
                                  • Instruction Fuzzy Hash: E841E471654309AFDB38AF38D942E7673E8EB44304F20446FE649D72D2EB719942CB11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002573C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 002573D9
                                  • CreateMenu.USER32 ref: 002573F4
                                  • SetMenu.USER32(?,00000000), ref: 00257403
                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00257490
                                  • IsMenu.USER32(?), ref: 002574A6
                                  • CreatePopupMenu.USER32 ref: 002574B0
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002574DD
                                  • DrawMenuBar.USER32 ref: 002574E5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                  • String ID: 0$F
                                  • API String ID: 176399719-3044882817
                                  • Opcode ID: f8a432eb5de927954fe81166f65ce5b86a2fa74027eebd2e878016bdbd127152
                                  • Instruction ID: e61e305289dc92803101bdbf13114dd060c3e3d4ab48a585534ccea0520678e9
                                  • Opcode Fuzzy Hash: f8a432eb5de927954fe81166f65ce5b86a2fa74027eebd2e878016bdbd127152
                                  • Instruction Fuzzy Hash: AE416874A1020AEFDB20DF64E988E9ABBF5FF09342F140029FD1597360D730A924CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002577CD
                                  • CreateCompatibleDC.GDI32(00000000), ref: 002577D4
                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002577E7
                                  • SelectObject.GDI32(00000000,00000000), ref: 002577EF
                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 002577FA
                                  • DeleteDC.GDI32(00000000), ref: 00257803
                                  • GetWindowLongW.USER32(?,000000EC), ref: 0025780D
                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00257821
                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0025782D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                  • String ID: static
                                  • API String ID: 2559357485-2160076837
                                  • Opcode ID: fd6db24f1aa7e670d243a47a988175f6ad6a6cd92d33e9c4f1e216d252919975
                                  • Instruction ID: b1222da3693db9a1f490155c79687157141d466e40aff35f804937d9b8695ac3
                                  • Opcode Fuzzy Hash: fd6db24f1aa7e670d243a47a988175f6ad6a6cd92d33e9c4f1e216d252919975
                                  • Instruction Fuzzy Hash: DD318C31115215BBDF129FA4EC0CFEB3B69EF0D322F100225FA15A61A0D731D825DBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 001F707B
                                    • Part of subcall function 001F8D68: __getptd_noexit.LIBCMT ref: 001F8D68
                                  • __gmtime64_s.LIBCMT ref: 001F7114
                                  • __gmtime64_s.LIBCMT ref: 001F714A
                                  • __gmtime64_s.LIBCMT ref: 001F7167
                                  • __allrem.LIBCMT ref: 001F71BD
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001F71D9
                                  • __allrem.LIBCMT ref: 001F71F0
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001F720E
                                  • __allrem.LIBCMT ref: 001F7225
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001F7243
                                  • __invoke_watson.LIBCMT ref: 001F72B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                  • String ID:
                                  • API String ID: 384356119-0
                                  • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                  • Instruction ID: bebcaa4d1159d0f436589352b455218aea7040e1817b09b4ec13a0948b93aa91
                                  • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                  • Instruction Fuzzy Hash: B871D9B1A0471BABE714EE79CC41B7AB3B8AF55324F14423AF614D76C1EB70DA508B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00232A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00232A31
                                  • GetMenuItemInfoW.USER32(00296890,000000FF,00000000,00000030), ref: 00232A92
                                  • SetMenuItemInfoW.USER32(00296890,00000004,00000000,00000030), ref: 00232AC8
                                  • Sleep.KERNEL32(000001F4), ref: 00232ADA
                                  • GetMenuItemCount.USER32(?), ref: 00232B1E
                                  • GetMenuItemID.USER32(?,00000000), ref: 00232B3A
                                  • GetMenuItemID.USER32(?,-00000001), ref: 00232B64
                                  • GetMenuItemID.USER32(?,?), ref: 00232BA9
                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00232BEF
                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00232C03
                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00232C24
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                  • String ID:
                                  • API String ID: 4176008265-0
                                  • Opcode ID: bce3d5ae5be35d0b112ddfec6994bbe9ba8c2413c4c35c9933e5c2a91b95db4e
                                  • Instruction ID: 844dd2c19a81daf6866c3f3f9beb4e2c5b6c60eb051d07cbb25654f8c330a9a1
                                  • Opcode Fuzzy Hash: bce3d5ae5be35d0b112ddfec6994bbe9ba8c2413c4c35c9933e5c2a91b95db4e
                                  • Instruction Fuzzy Hash: 6D61A1F092034AEFDB11CF64DD88EBEBBB9EB41308F14045AE84197251D771AD69DB20
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00257192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00257214
                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00257217
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0025723B
                                  • _memset.LIBCMT ref: 0025724C
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0025725E
                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002572D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$LongWindow_memset
                                  • String ID:
                                  • API String ID: 830647256-0
                                  • Opcode ID: a7c64527f4603ed82a6dc86631e192d56e6ffeb3d8e0c51f18d03512f091c784
                                  • Instruction ID: 645176c4a48deeea62af125a5e4556a255e1e8869aa2794beca01af31b576a98
                                  • Opcode Fuzzy Hash: a7c64527f4603ed82a6dc86631e192d56e6ffeb3d8e0c51f18d03512f091c784
                                  • Instruction Fuzzy Hash: 8F618B71950208AFDB10DFA4DC85EEE77F8EB09710F10419AFE14A72A1C770AE59DBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00227135
                                  • SafeArrayAllocData.OLEAUT32(?), ref: 0022718E
                                  • VariantInit.OLEAUT32(?), ref: 002271A0
                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 002271C0
                                  • VariantCopy.OLEAUT32(?,?), ref: 00227213
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00227227
                                  • VariantClear.OLEAUT32(?), ref: 0022723C
                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00227249
                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00227252
                                  • VariantClear.OLEAUT32(?), ref: 00227264
                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0022726F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                  • String ID:
                                  • API String ID: 2706829360-0
                                  • Opcode ID: b7e94bf575d61d2ee1443ec8eb34112a0365718d12edbe92ad874c98fdd0cbfa
                                  • Instruction ID: 22935033c96c584841317dc219511bb60c062f989e681c8541a30a4669fa7996
                                  • Opcode Fuzzy Hash: b7e94bf575d61d2ee1443ec8eb34112a0365718d12edbe92ad874c98fdd0cbfa
                                  • Instruction Fuzzy Hash: 14414F35914229EFCF00EFA4E9489AEBBB8FF08355F008069F955A7261CB30A955CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002486D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D9997: __itow.LIBCMT ref: 001D99C2
                                    • Part of subcall function 001D9997: __swprintf.LIBCMT ref: 001D9A0C
                                  • CoInitialize.OLE32 ref: 00248718
                                  • CoUninitialize.OLE32 ref: 00248723
                                  • CoCreateInstance.OLE32(?,00000000,00000017,00262BEC,?), ref: 00248783
                                  • IIDFromString.OLE32(?,?), ref: 002487F6
                                  • VariantInit.OLEAUT32(?), ref: 00248890
                                  • VariantClear.OLEAUT32(?), ref: 002488F1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                  • API String ID: 834269672-1287834457
                                  • Opcode ID: 5319f2ea52a370c23e69b61cc5a0cc61d92561ddf4495935ffd5e3dbbcb20870
                                  • Instruction ID: 38c979d0a541fa544135f805ffc5b8cc722a29e8ffcd62a2b3477a3a8f14c4f7
                                  • Opcode Fuzzy Hash: 5319f2ea52a370c23e69b61cc5a0cc61d92561ddf4495935ffd5e3dbbcb20870
                                  • Instruction Fuzzy Hash: 9161E074628302AFD714DF24C988B6FBBE8AF48714F10081EF9859B291DB70ED54CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00245A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAStartup.WSOCK32(00000101,?), ref: 00245AA6
                                  • inet_addr.WSOCK32(?,?,?), ref: 00245AEB
                                  • gethostbyname.WSOCK32(?), ref: 00245AF7
                                  • IcmpCreateFile.IPHLPAPI ref: 00245B05
                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00245B75
                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00245B8B
                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00245C00
                                  • WSACleanup.WSOCK32 ref: 00245C06
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                  • String ID: Ping
                                  • API String ID: 1028309954-2246546115
                                  • Opcode ID: ec89d9d356f47da10aa0b1477aaae6f2ba13f4cb094396413275a06419f89d74
                                  • Instruction ID: 296f09cf60dc399ca2c893b5956ba847b3346af9d1ae2f9aca61162ab5a78f4a
                                  • Opcode Fuzzy Hash: ec89d9d356f47da10aa0b1477aaae6f2ba13f4cb094396413275a06419f89d74
                                  • Instruction Fuzzy Hash: DF51B231614721AFD715EF24DC89B2ABBE4EF48314F04892AF596DB2A2DB70EC10CB45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0023B73B
                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0023B7B1
                                  • GetLastError.KERNEL32 ref: 0023B7BB
                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 0023B828
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Error$Mode$DiskFreeLastSpace
                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                  • API String ID: 4194297153-14809454
                                  • Opcode ID: b073075195330bc8973026e9554153d8948868aae82337bfbab2ef7ef6f91075
                                  • Instruction ID: f606112a0ed9ba30fa17602662b7ff09e9b09f86c12375540d51431283b85de8
                                  • Opcode Fuzzy Hash: b073075195330bc8973026e9554153d8948868aae82337bfbab2ef7ef6f91075
                                  • Instruction Fuzzy Hash: A131C476A10205AFDB01EF64D889ABEB7B4FF45701F10802AF605DB291DB719952CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00229471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                    • Part of subcall function 0022B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0022B0E7
                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002294F6
                                  • GetDlgCtrlID.USER32 ref: 00229501
                                  • GetParent.USER32 ref: 0022951D
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00229520
                                  • GetDlgCtrlID.USER32(?), ref: 00229529
                                  • GetParent.USER32(?), ref: 00229545
                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00229548
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 1536045017-1403004172
                                  • Opcode ID: 4343f165766106826115193ea3da8e976f5aebefa886454815944c5b6ffb3359
                                  • Instruction ID: 9f85953902424f334e1ddf5e36175ae774c7e8d25e54c5f537edd3b7df3b8f49
                                  • Opcode Fuzzy Hash: 4343f165766106826115193ea3da8e976f5aebefa886454815944c5b6ffb3359
                                  • Instruction Fuzzy Hash: BA210674A00214BBCF01AFA0DC85EFEBBB8EF55310F100116B561972E2DB755969DF20
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                    • Part of subcall function 0022B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0022B0E7
                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002295DF
                                  • GetDlgCtrlID.USER32 ref: 002295EA
                                  • GetParent.USER32 ref: 00229606
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00229609
                                  • GetDlgCtrlID.USER32(?), ref: 00229612
                                  • GetParent.USER32(?), ref: 0022962E
                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00229631
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 1536045017-1403004172
                                  • Opcode ID: 70888a473dbb58860bfac66e47d0d3a9fac2f55d61d91b01e09003f264881cec
                                  • Instruction ID: fde7ffb2aa81116b3d5044db7da99ee2b2ad1581ae63e8a5de3861386fd16425
                                  • Opcode Fuzzy Hash: 70888a473dbb58860bfac66e47d0d3a9fac2f55d61d91b01e09003f264881cec
                                  • Instruction Fuzzy Hash: 7D21D074A00214BBDF01ABA0DC89EFEBBB8EF58300F100016F921972E1DB759969DF24
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00229645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32 ref: 00229651
                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00229666
                                  • _wcscmp.LIBCMT ref: 00229678
                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002296F3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ClassMessageNameParentSend_wcscmp
                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                  • API String ID: 1704125052-3381328864
                                  • Opcode ID: 966c1b068a8acc88ed10211360df39d3eea40816dc5a10525d4ba757d9450e75
                                  • Instruction ID: 908d406148110ebb1df4ffa832190e868f5c2a5f20dc889c6b388f9d140704c0
                                  • Opcode Fuzzy Hash: 966c1b068a8acc88ed10211360df39d3eea40816dc5a10525d4ba757d9450e75
                                  • Instruction Fuzzy Hash: B7110D7A16831B7AF6013A60FC0ADB677DC8F15370F200026FA10A50D1FFA559F04A58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00234189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __swprintf.LIBCMT ref: 0023419D
                                  • __swprintf.LIBCMT ref: 002341AA
                                    • Part of subcall function 001F38D8: __woutput_l.LIBCMT ref: 001F3931
                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 002341D4
                                  • LoadResource.KERNEL32(?,00000000), ref: 002341E0
                                  • LockResource.KERNEL32(00000000), ref: 002341ED
                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 0023420D
                                  • LoadResource.KERNEL32(?,00000000), ref: 0023421F
                                  • SizeofResource.KERNEL32(?,00000000), ref: 0023422E
                                  • LockResource.KERNEL32(?), ref: 0023423A
                                  • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0023429B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                  • String ID:
                                  • API String ID: 1433390588-0
                                  • Opcode ID: fcf0a28364fb78dc34de4e7885e88f0f1312ce4d68032bb0e1299c7b2a354995
                                  • Instruction ID: ce94aaace33d1653e8f30d8b9fee5d771ecd654c435666ff7774ac65670ce43d
                                  • Opcode Fuzzy Hash: fcf0a28364fb78dc34de4e7885e88f0f1312ce4d68032bb0e1299c7b2a354995
                                  • Instruction Fuzzy Hash: 2531AEB162520AABDB01AF60ED48EBF7BACEF04301F004565FD15E2150E774EA618BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002316DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00231700
                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00230778,?,00000001), ref: 00231714
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0023171B
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00230778,?,00000001), ref: 0023172A
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0023173C
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00230778,?,00000001), ref: 00231755
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00230778,?,00000001), ref: 00231767
                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00230778,?,00000001), ref: 002317AC
                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00230778,?,00000001), ref: 002317C1
                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00230778,?,00000001), ref: 002317CC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                  • String ID:
                                  • API String ID: 2156557900-0
                                  • Opcode ID: 1a9826ed888ed4da33b397a82897cfd8940d15a88ea7aa122a4d4fee76909f6c
                                  • Instruction ID: 60d7e9074d5e3ffa28b8dcf2310a2b881d528881d81aae9fefc89e4e61acf909
                                  • Opcode Fuzzy Hash: 1a9826ed888ed4da33b397a82897cfd8940d15a88ea7aa122a4d4fee76909f6c
                                  • Instruction Fuzzy Hash: 6E31BFB5620305BBEB119F24FD8CB79BBADAB25712F144026F804D62A0D7B09D608B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00249428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Variant$ClearInit$_memset
                                  • String ID: ,,&$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                  • API String ID: 2862541840-3523486460
                                  • Opcode ID: 1b9ce8160c3c7e8c9fc209fb13f3a47ca02859e0e7f4670a3966b465fa775018
                                  • Instruction ID: cda4f225988cab1d43ec937d9a7dc3a4348fe17d4c95cec9a701663af67be06b
                                  • Opcode Fuzzy Hash: 1b9ce8160c3c7e8c9fc209fb13f3a47ca02859e0e7f4670a3966b465fa775018
                                  • Instruction Fuzzy Hash: 8A91E271A20219AFDF28DFA5C848FAFB7B8EF45314F10815AF515AB280D7709995CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnumChildWindows.USER32(?,0022AA64), ref: 0022A9A2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ChildEnumWindows
                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                  • API String ID: 3555792229-1603158881
                                  • Opcode ID: ca098e5a3108512cc0469e19df947d185638494a6095132531d35f65ffe73ccb
                                  • Instruction ID: b0536d128ea31881b54a59cd066c37a8e26d55fcaab4bf667382ff1a23cffd1f
                                  • Opcode Fuzzy Hash: ca098e5a3108512cc0469e19df947d185638494a6095132531d35f65ffe73ccb
                                  • Instruction Fuzzy Hash: 1091C43051061AFBDB18EFE0D481BF9FB74BF14304F508119D99AA3591DF3069A9CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,000000EB), ref: 001D2EAE
                                    • Part of subcall function 001D1DB3: GetClientRect.USER32(?,?), ref: 001D1DDC
                                    • Part of subcall function 001D1DB3: GetWindowRect.USER32(?,?), ref: 001D1E1D
                                    • Part of subcall function 001D1DB3: ScreenToClient.USER32(?,?), ref: 001D1E45
                                  • GetDC.USER32 ref: 0020CF82
                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0020CF95
                                  • SelectObject.GDI32(00000000,00000000), ref: 0020CFA3
                                  • SelectObject.GDI32(00000000,00000000), ref: 0020CFB8
                                  • ReleaseDC.USER32(?,00000000), ref: 0020CFC0
                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0020D04B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                  • String ID: U
                                  • API String ID: 4009187628-3372436214
                                  • Opcode ID: 1cf797fb1771daf9ce6d6a6e1c0693b1e26ba83dda65db287dcc99064388c781
                                  • Instruction ID: 93faed6dc01ec0f4e781b9c2e999dfba45e108dd235be5f939857db9be286630
                                  • Opcode Fuzzy Hash: 1cf797fb1771daf9ce6d6a6e1c0693b1e26ba83dda65db287dcc99064388c781
                                  • Instruction Fuzzy Hash: FE71E470510306EFCF218FA4C888ABA7BB6FF58351F24426BED555A2A6C7318C61DF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00248F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0025F910), ref: 0024903D
                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0025F910), ref: 00249071
                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002491EB
                                  • SysFreeString.OLEAUT32(?), ref: 00249215
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                  • String ID:
                                  • API String ID: 560350794-0
                                  • Opcode ID: 8899c4b51f83557ce5ce03f47bf0d54bb4527df61eca18c71689ac5b31e3238d
                                  • Instruction ID: e1d3f1da3865d106b7b3eaf054aae4b89ef460a9a6739df16cf2347cbf8bd9d8
                                  • Opcode Fuzzy Hash: 8899c4b51f83557ce5ce03f47bf0d54bb4527df61eca18c71689ac5b31e3238d
                                  • Instruction Fuzzy Hash: 10F14D71A1020AEFDF08DF94C888EAEB7B9FF49315F108099F519AB250DB71AD95CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0024F9C9
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0024FB5C
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0024FB80
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0024FBC0
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0024FBE2
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0024FD5E
                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0024FD90
                                  • CloseHandle.KERNEL32(?), ref: 0024FDBF
                                  • CloseHandle.KERNEL32(?), ref: 0024FE36
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                  • String ID:
                                  • API String ID: 4090791747-0
                                  • Opcode ID: 8a5a4d20c85232eda6ddb8be5fd5195f9b163b16bc5b26d1c2c51b9428dc0b7f
                                  • Instruction ID: ecf2a40f597f499c7ba6f8cab19eba14f0e53c78b6de07f507201976730f8eb5
                                  • Opcode Fuzzy Hash: 8a5a4d20c85232eda6ddb8be5fd5195f9b163b16bc5b26d1c2c51b9428dc0b7f
                                  • Instruction Fuzzy Hash: 59E1D231214341EFCB58EF24C591B6ABBE0AF85314F14886EF8898B3A2DB31DC55CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00234F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002338D3,?), ref: 002348C7
                                    • Part of subcall function 002348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002338D3,?), ref: 002348E0
                                    • Part of subcall function 00234CD3: GetFileAttributesW.KERNEL32(?,00233947), ref: 00234CD4
                                  • lstrcmpiW.KERNEL32(?,?), ref: 00234FE2
                                  • _wcscmp.LIBCMT ref: 00234FFC
                                  • MoveFileW.KERNEL32(?,?), ref: 00235017
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                  • String ID:
                                  • API String ID: 793581249-0
                                  • Opcode ID: ac1f7f385bcbefca55632411e28d6bb26680bbbecb7e0b1f225cf66fb14926fe
                                  • Instruction ID: 84e514c127687b158e73f3409abf332a71217efd4d0b9b65c1d7c6eeba90ee1f
                                  • Opcode Fuzzy Hash: ac1f7f385bcbefca55632411e28d6bb26680bbbecb7e0b1f225cf66fb14926fe
                                  • Instruction Fuzzy Hash: F55164F20187859BC724EB50D8819DFB3ECAF95301F10092EF289D3151EF75A698CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002588B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0025896E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: InvalidateRect
                                  • String ID:
                                  • API String ID: 634782764-0
                                  • Opcode ID: 1844a1409e0ee2891522d113471ae90bf5771fdb9c10ba602c5da8ca54488209
                                  • Instruction ID: 625d73a67f8935069840eb73f5d9a4426b3340dcc32028e93c7660899962ba87
                                  • Opcode Fuzzy Hash: 1844a1409e0ee2891522d113471ae90bf5771fdb9c10ba602c5da8ca54488209
                                  • Instruction Fuzzy Hash: 8951C830520209BFDF209F28DC89B697B65FF15352F604116FD11F62A1DFF1A9A88B89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0020C547
                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0020C569
                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0020C581
                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0020C59F
                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0020C5C0
                                  • DestroyIcon.USER32(00000000), ref: 0020C5CF
                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0020C5EC
                                  • DestroyIcon.USER32(?), ref: 0020C5FB
                                    • Part of subcall function 0025A71E: DeleteObject.GDI32(00000000), ref: 0025A757
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                  • String ID:
                                  • API String ID: 2819616528-0
                                  • Opcode ID: c912ea98d572bc94839e3f9ba3d86c7aac3d2732fb52a4808e7b32c545a958f4
                                  • Instruction ID: 42359503588cdccfeb2b55c32fea7bb0b6dce3df23b0f1c1f8b682614d1707c5
                                  • Opcode Fuzzy Hash: c912ea98d572bc94839e3f9ba3d86c7aac3d2732fb52a4808e7b32c545a958f4
                                  • Instruction Fuzzy Hash: FF514B74A10305AFDB24DF24DC49BAA7BB5EB68351F20062AF912A72D0D7B0ED90DB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00228E0C
                                  • HeapAlloc.KERNEL32(00000000), ref: 00228E13
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00228E28
                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00228E30
                                  • DuplicateHandle.KERNEL32(00000000), ref: 00228E33
                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 00228E43
                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00228E4B
                                  • DuplicateHandle.KERNEL32(00000000), ref: 00228E4E
                                  • CreateThread.KERNEL32(00000000,00000000,00228E74,00000000,00000000,00000000), ref: 00228E68
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                  • String ID:
                                  • API String ID: 1957940570-0
                                  • Opcode ID: 67d62205c401867322c71570aa17188af3b8fb76fbbd252b7131f3b919dc36fa
                                  • Instruction ID: 9f58c15d744f3a02fa7b43542fcf372d007715818bd714b2b734d5ddae91cd01
                                  • Opcode Fuzzy Hash: 67d62205c401867322c71570aa17188af3b8fb76fbbd252b7131f3b919dc36fa
                                  • Instruction Fuzzy Hash: 4F01A8B5640708FFE650ABA5ED4DF6B3BACEB89711F018421FA09DB1A1CA7098008A24
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00249A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00227652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0022758C,80070057,?,?,?,0022799D), ref: 0022766F
                                    • Part of subcall function 00227652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0022758C,80070057,?,?), ref: 0022768A
                                    • Part of subcall function 00227652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0022758C,80070057,?,?), ref: 00227698
                                    • Part of subcall function 00227652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0022758C,80070057,?), ref: 002276A8
                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00249B1B
                                  • _memset.LIBCMT ref: 00249B28
                                  • _memset.LIBCMT ref: 00249C6B
                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00249C97
                                  • CoTaskMemFree.OLE32(?), ref: 00249CA2
                                  Strings
                                  • NULL Pointer assignment, xrefs: 00249CF0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                  • String ID: NULL Pointer assignment
                                  • API String ID: 1300414916-2785691316
                                  • Opcode ID: 2cdf1a1ff07997c51f9f6de0250938dad1f72f01ed04a4659f1a1f310bdd7dbf
                                  • Instruction ID: 34e46716ef2426235707f8c1b041af8a64b57deaa126eb83500a2222ec96fe9e
                                  • Opcode Fuzzy Hash: 2cdf1a1ff07997c51f9f6de0250938dad1f72f01ed04a4659f1a1f310bdd7dbf
                                  • Instruction Fuzzy Hash: 59916871D10229EBDF14DFA0DC85ADEBBB9EF08310F20415AF419A7281EB719A54CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00256FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00257093
                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 002570A7
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002570C1
                                  • _wcscat.LIBCMT ref: 0025711C
                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00257133
                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00257161
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window_wcscat
                                  • String ID: SysListView32
                                  • API String ID: 307300125-78025650
                                  • Opcode ID: 600451de9f6985463a0253de0a36d993f8878af983e30d18e6ebe78d49af9369
                                  • Instruction ID: 51e587d471d4dd36e6b780c5ba628f59ad5700640bbeb1fc82afb66a60353526
                                  • Opcode Fuzzy Hash: 600451de9f6985463a0253de0a36d993f8878af983e30d18e6ebe78d49af9369
                                  • Instruction Fuzzy Hash: 2F41F330A54309AFDB219FA4DC89BEE77E8EF08351F10042AF944E72D2D3719D988B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00233E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00233EB6
                                    • Part of subcall function 00233E91: Process32FirstW.KERNEL32(00000000,?), ref: 00233EC4
                                    • Part of subcall function 00233E91: CloseHandle.KERNEL32(00000000), ref: 00233F8E
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0024ECB8
                                  • GetLastError.KERNEL32 ref: 0024ECCB
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0024ECFA
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0024ED77
                                  • GetLastError.KERNEL32(00000000), ref: 0024ED82
                                  • CloseHandle.KERNEL32(00000000), ref: 0024EDB7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                  • String ID: SeDebugPrivilege
                                  • API String ID: 2533919879-2896544425
                                  • Opcode ID: 5aee704b5e181f1e048e19866d02de62e5b8a6be8038acb0cd87f7aec1f35786
                                  • Instruction ID: a5fd1da0b5a688681697339efc454384f7e02145874493b088debd76f40b124c
                                  • Opcode Fuzzy Hash: 5aee704b5e181f1e048e19866d02de62e5b8a6be8038acb0cd87f7aec1f35786
                                  • Instruction Fuzzy Hash: A441CC71620211AFEB18EF24DC99F6DB7A4AF40714F098059F8429B2D2CBB5AC24CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00233226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadIconW.USER32(00000000,00007F03), ref: 002332C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: IconLoad
                                  • String ID: blank$info$question$stop$warning
                                  • API String ID: 2457776203-404129466
                                  • Opcode ID: d29f9361d1dac139011689902684f793060b7be8435ffd59ef2bb541cc5b3aac
                                  • Instruction ID: 0fc4914fa6b294d24b3b7bc088514182be8e808991e6819e9ab300d7677e31b8
                                  • Opcode Fuzzy Hash: d29f9361d1dac139011689902684f793060b7be8435ffd59ef2bb541cc5b3aac
                                  • Instruction Fuzzy Hash: 9811D57562D34BBAA701AE54DC42C6BB39CDF1A760F20002AFE01A61C1EBB55F6046B5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00234534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0023454E
                                  • LoadStringW.USER32(00000000), ref: 00234555
                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0023456B
                                  • LoadStringW.USER32(00000000), ref: 00234572
                                  • _wprintf.LIBCMT ref: 00234598
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002345B6
                                  Strings
                                  • %s (%d) : ==> %s: %s %s, xrefs: 00234593
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString$Message_wprintf
                                  • String ID: %s (%d) : ==> %s: %s %s
                                  • API String ID: 3648134473-3128320259
                                  • Opcode ID: f693a7133b2b88e1f7fb553d7d1173576c090bc6d84d65f583e7afdcdd919df7
                                  • Instruction ID: d358d048aa54865e85a52c02196e20999077c11a1cd9278d6bfb675de0cb3d62
                                  • Opcode Fuzzy Hash: f693a7133b2b88e1f7fb553d7d1173576c090bc6d84d65f583e7afdcdd919df7
                                  • Instruction Fuzzy Hash: 0401A7F2900308BFE750A794EE8DEF7776CD708301F4004A5BB09D2051EA705E948B74
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D2612: GetWindowLongW.USER32(?,000000EB), ref: 001D2623
                                  • GetSystemMetrics.USER32(0000000F), ref: 0025D78A
                                  • GetSystemMetrics.USER32(0000000F), ref: 0025D7AA
                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0025D9E5
                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0025DA03
                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0025DA24
                                  • ShowWindow.USER32(00000003,00000000), ref: 0025DA43
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0025DA68
                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 0025DA8B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                  • String ID:
                                  • API String ID: 1211466189-0
                                  • Opcode ID: eb0cbbb557402e76373cdd584988b4de7ec7cecf9c3c9ec67df4379ef7607a7a
                                  • Instruction ID: 153c2364ca34cc850aae7e77e50aba1d3007194dc58c80e69b0f48c6c2d2c7f5
                                  • Opcode Fuzzy Hash: eb0cbbb557402e76373cdd584988b4de7ec7cecf9c3c9ec67df4379ef7607a7a
                                  • Instruction Fuzzy Hash: 5EB18C71510216EFDF24CF68C9897BE7BB1FF08712F088069EC489B295D734A968CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0020C417,00000004,00000000,00000000,00000000), ref: 001D2ACF
                                  • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0020C417,00000004,00000000,00000000,00000000,000000FF), ref: 001D2B17
                                  • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0020C417,00000004,00000000,00000000,00000000), ref: 0020C46A
                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0020C417,00000004,00000000,00000000,00000000), ref: 0020C4D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ShowWindow
                                  • String ID:
                                  • API String ID: 1268545403-0
                                  • Opcode ID: 2e3a2f58cfc67ec1072a9de6656d69f2920bef89ac460389e6a9239c450ad5fb
                                  • Instruction ID: 4ce2d0833e07142b131a3658c6843c67dda86c7eaed1238dd0a284944cec86c6
                                  • Opcode Fuzzy Hash: 2e3a2f58cfc67ec1072a9de6656d69f2920bef89ac460389e6a9239c450ad5fb
                                  • Instruction Fuzzy Hash: E64118313187809AC7398B289DDCB7B7BA2FB66300F65891FE06787BA1C775A841D710
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00237368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 0023737F
                                    • Part of subcall function 001F0FF6: std::exception::exception.LIBCMT ref: 001F102C
                                    • Part of subcall function 001F0FF6: __CxxThrowException@8.LIBCMT ref: 001F1041
                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002373B6
                                  • EnterCriticalSection.KERNEL32(?), ref: 002373D2
                                  • _memmove.LIBCMT ref: 00237420
                                  • _memmove.LIBCMT ref: 0023743D
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0023744C
                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00237461
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00237480
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                  • String ID:
                                  • API String ID: 256516436-0
                                  • Opcode ID: ec2fcbccbfe50e86ad261f70f2fe95be78a84cb54917ae2b542e40524e310809
                                  • Instruction ID: c40ff62c9415c360d8b8832f49e4fd668a03f51032733727e8050013c15ef5ca
                                  • Opcode Fuzzy Hash: ec2fcbccbfe50e86ad261f70f2fe95be78a84cb54917ae2b542e40524e310809
                                  • Instruction Fuzzy Hash: 54317EB5904205EBDF10DF64ED89AAF7BB8EF44711F1441A9FE04EB246DB309A10CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00256442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(00000000), ref: 0025645A
                                  • GetDC.USER32(00000000), ref: 00256462
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0025646D
                                  • ReleaseDC.USER32(00000000,00000000), ref: 00256479
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002564B5
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002564C6
                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00259299,?,?,000000FF,00000000,?,000000FF,?), ref: 00256500
                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00256520
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                  • String ID:
                                  • API String ID: 3864802216-0
                                  • Opcode ID: 0c41c53654101e1897c95c67b7381398b78d4e2030d2d455fe93071fa8a95619
                                  • Instruction ID: 1bdba4f0aea5398538e7ee255a84b673b737053786fd69532f6d504ae6e78c8b
                                  • Opcode Fuzzy Hash: 0c41c53654101e1897c95c67b7381398b78d4e2030d2d455fe93071fa8a95619
                                  • Instruction Fuzzy Hash: F7319C72200210BFEB218F10DD8AFEB3FADEF09762F044065FE089A295D6759C51CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID:
                                  • API String ID: 2931989736-0
                                  • Opcode ID: dcd3baa1947c883f4d7dbaea957cfd12ed81b015d34fbb937dd3f798478b5504
                                  • Instruction ID: 10b94969b91e0f6e2a2869a22b150811eae9a32ee1df7c62f2d45d745ca3ea06
                                  • Opcode Fuzzy Hash: dcd3baa1947c883f4d7dbaea957cfd12ed81b015d34fbb937dd3f798478b5504
                                  • Instruction Fuzzy Hash: C921DA71A70A2AF7D224A9616C43FBF335C9F317A9B240011FE09D62C2E791DE3585E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D9997: __itow.LIBCMT ref: 001D99C2
                                    • Part of subcall function 001D9997: __swprintf.LIBCMT ref: 001D9A0C
                                    • Part of subcall function 001EFEC6: _wcscpy.LIBCMT ref: 001EFEE9
                                  • _wcstok.LIBCMT ref: 0023EEFF
                                  • _wcscpy.LIBCMT ref: 0023EF8E
                                  • _memset.LIBCMT ref: 0023EFC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                  • String ID: X
                                  • API String ID: 774024439-3081909835
                                  • Opcode ID: 78e24e74b7c47acf0ec0075ffbe7f8268ec0da569c69fcac0a75d26f9e79c5ef
                                  • Instruction ID: 3e97e00f2aef8022d3d77c6fbcaca6c7fbc5e7d534e4666bc12bce79760dae11
                                  • Opcode Fuzzy Hash: 78e24e74b7c47acf0ec0075ffbe7f8268ec0da569c69fcac0a75d26f9e79c5ef
                                  • Instruction Fuzzy Hash: 3BC19D715183019FC764EF24D981A6AB7E4FF94310F04492EF8999B3A2EB70ED55CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00246E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00246F14
                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00246F35
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00246F48
                                  • htons.WSOCK32(?,?,?,00000000,?), ref: 00246FFE
                                  • inet_ntoa.WSOCK32(?), ref: 00246FBB
                                    • Part of subcall function 0022AE14: _strlen.LIBCMT ref: 0022AE1E
                                    • Part of subcall function 0022AE14: _memmove.LIBCMT ref: 0022AE40
                                  • _strlen.LIBCMT ref: 00247058
                                  • _memmove.LIBCMT ref: 002470C1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                  • String ID:
                                  • API String ID: 3619996494-0
                                  • Opcode ID: bd68e7281d194c702e4cb0375b51cad68db08e1d1b50c1951fa40951f0009351
                                  • Instruction ID: 1b5902a78ccef7deee96af8c0eb63780afcecbd051267a96d7fac89b5ed6de06
                                  • Opcode Fuzzy Hash: bd68e7281d194c702e4cb0375b51cad68db08e1d1b50c1951fa40951f0009351
                                  • Instruction Fuzzy Hash: 7781FF72218300AFD718EF24CC86F6BB3E9AF94714F10491EF5559B2A2DB71AD04CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97fd1812b0587be68220e7d44abe0a1cb98cd58065f1b9c26251a3fbc505fa99
                                  • Instruction ID: a228dd3666f4206027956384398ba15c89ae9f06a86685b940c144f7da6ef810
                                  • Opcode Fuzzy Hash: 97fd1812b0587be68220e7d44abe0a1cb98cd58065f1b9c26251a3fbc505fa99
                                  • Instruction Fuzzy Hash: 20717B31900209FFCB158F98CD48ABEBB79FF85314F14815AF915AB291C734AA51CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindow.USER32(010B5490), ref: 0025B6A5
                                  • IsWindowEnabled.USER32(010B5490), ref: 0025B6B1
                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0025B795
                                  • SendMessageW.USER32(010B5490,000000B0,?,?), ref: 0025B7CC
                                  • IsDlgButtonChecked.USER32(?,?), ref: 0025B809
                                  • GetWindowLongW.USER32(010B5490,000000EC), ref: 0025B82B
                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0025B843
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                  • String ID:
                                  • API String ID: 4072528602-0
                                  • Opcode ID: 1e6d2929bff9f985a3545c29c94e84f07a2b8868503eb17d9b6b02c4e0f8f7e5
                                  • Instruction ID: 9fd9b10f1128a432715a759db236e8fbc587201e2d4b1a2b04c8698405f812af
                                  • Opcode Fuzzy Hash: 1e6d2929bff9f985a3545c29c94e84f07a2b8868503eb17d9b6b02c4e0f8f7e5
                                  • Instruction Fuzzy Hash: 7571BE34620206AFDB229F64C898FAABBF9FF4D342F144059ED5597261C731A868CF18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0024F75C
                                  • _memset.LIBCMT ref: 0024F825
                                  • ShellExecuteExW.SHELL32(?), ref: 0024F86A
                                    • Part of subcall function 001D9997: __itow.LIBCMT ref: 001D99C2
                                    • Part of subcall function 001D9997: __swprintf.LIBCMT ref: 001D9A0C
                                    • Part of subcall function 001EFEC6: _wcscpy.LIBCMT ref: 001EFEE9
                                  • GetProcessId.KERNEL32(00000000), ref: 0024F8E1
                                  • CloseHandle.KERNEL32(00000000), ref: 0024F910
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                  • String ID: @
                                  • API String ID: 3522835683-2766056989
                                  • Opcode ID: e2d9a61f98f22cb885c260d7fe46f52583e74d08c8b032b0f702d0803de72fa9
                                  • Instruction ID: 1b05d69ac7a94c31f5ba43fbbef8b148ba19f83678c0bab712c52f6c1a1a5ec6
                                  • Opcode Fuzzy Hash: e2d9a61f98f22cb885c260d7fe46f52583e74d08c8b032b0f702d0803de72fa9
                                  • Instruction Fuzzy Hash: A461AF75A00619DFCF18EF54C684AAEBBF5FF98310F14846AE846AB351CB30AD51CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 0023149C
                                  • GetKeyboardState.USER32(?), ref: 002314B1
                                  • SetKeyboardState.USER32(?), ref: 00231512
                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00231540
                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 0023155F
                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 002315A5
                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002315C8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: 76389ad44ff659388986ba7108fba3360ff0a9d038918eebb480ffc0fb27b9c0
                                  • Instruction ID: 607d3ad3bad9f305b7dfde1ed35912592b4f4590057c17a76b875d4910720bbf
                                  • Opcode Fuzzy Hash: 76389ad44ff659388986ba7108fba3360ff0a9d038918eebb480ffc0fb27b9c0
                                  • Instruction Fuzzy Hash: 585104E0A247D63EFB364B748C46BBABEA95B46304F0C4489E1D6468C2C3D4DCB4DB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00231276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(00000000), ref: 002312B5
                                  • GetKeyboardState.USER32(?), ref: 002312CA
                                  • SetKeyboardState.USER32(?), ref: 0023132B
                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00231357
                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00231374
                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002313B8
                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002313D9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: b600a604beb5410a06ea2b6a625098861ac76177932ac168ccb4a16466e194d2
                                  • Instruction ID: a6bab483fb5939a3f3b4109348ea0daf113de6821b423850f8c0c46846e7b63f
                                  • Opcode Fuzzy Hash: b600a604beb5410a06ea2b6a625098861ac76177932ac168ccb4a16466e194d2
                                  • Instruction Fuzzy Hash: 2051E4E0A247D63DFB368B248C45BBABFA95F06300F0885C9E1D4468C2D795ECB4D760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _wcsncpy$LocalTime
                                  • String ID:
                                  • API String ID: 2945705084-0
                                  • Opcode ID: c711bce32ddb05da297714ff473cffe4c9575e34af3090e7491f475f654c83c6
                                  • Instruction ID: b255f030756cbe30b2657470575cbcdcdea0fd8597c0cec181ca2d07855dafe0
                                  • Opcode Fuzzy Hash: c711bce32ddb05da297714ff473cffe4c9575e34af3090e7491f475f654c83c6
                                  • Instruction Fuzzy Hash: DF4183A5C2162876CB10FBB49886ADFB7AC9F14310F508966F618E3122E734E715C7E9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0022DAC5
                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0022DAFB
                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0022DB0C
                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0022DB8E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                  • String ID: ,,&$DllGetClassObject
                                  • API String ID: 753597075-1280094592
                                  • Opcode ID: 3aa9cd45f090106758387370f88d0058f6c43a08d36708091a354c24b9e2348c
                                  • Instruction ID: e0d7a87870be7fd4c263274168a69cbd64d22d4e9b3af14420ab06c267c8c71e
                                  • Opcode Fuzzy Hash: 3aa9cd45f090106758387370f88d0058f6c43a08d36708091a354c24b9e2348c
                                  • Instruction Fuzzy Hash: 1141BFB1610318EFDB14CFA4D888A9A7BB9EF44314F1580AAAD09DF245D7B1DD60CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002338AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002338D3,?), ref: 002348C7
                                    • Part of subcall function 002348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002338D3,?), ref: 002348E0
                                  • lstrcmpiW.KERNEL32(?,?), ref: 002338F3
                                  • _wcscmp.LIBCMT ref: 0023390F
                                  • MoveFileW.KERNEL32(?,?), ref: 00233927
                                  • _wcscat.LIBCMT ref: 0023396F
                                  • SHFileOperationW.SHELL32(?), ref: 002339DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                  • String ID: \*.*
                                  • API String ID: 1377345388-1173974218
                                  • Opcode ID: f8fd83f9e47df8e361f98565e17f59274dbc996daabc2c19170d751fdfaf94cb
                                  • Instruction ID: b28c5676e3ca09bc8aee261015c96539183383c70476385f53bc6c1af1f75600
                                  • Opcode Fuzzy Hash: f8fd83f9e47df8e361f98565e17f59274dbc996daabc2c19170d751fdfaf94cb
                                  • Instruction Fuzzy Hash: DB41AEB24183859AC751EF64C881AEFB7E8AF89340F00092FF48AC3151EB74D798CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00257500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00257519
                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002575C0
                                  • IsMenu.USER32(?), ref: 002575D8
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00257620
                                  • DrawMenuBar.USER32 ref: 00257633
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                  • String ID: 0
                                  • API String ID: 3866635326-4108050209
                                  • Opcode ID: 20884cbb55089be793959804d66efb65d41c287f47f960a9e184319c3fff068c
                                  • Instruction ID: 0894ebdd4169efc6b1692d86235a00ee9c0d14bd3b738f671646177d7c61350b
                                  • Opcode Fuzzy Hash: 20884cbb55089be793959804d66efb65d41c287f47f960a9e184319c3fff068c
                                  • Instruction Fuzzy Hash: AE414A75A24609EFDB10DF54E888E9ABBF8FB04351F448029ED2597250D730AD68CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0025125C
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00251286
                                  • FreeLibrary.KERNEL32(00000000), ref: 0025133D
                                    • Part of subcall function 0025122D: RegCloseKey.ADVAPI32(?), ref: 002512A3
                                    • Part of subcall function 0025122D: FreeLibrary.KERNEL32(?), ref: 002512F5
                                    • Part of subcall function 0025122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00251318
                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 002512E0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                  • String ID:
                                  • API String ID: 395352322-0
                                  • Opcode ID: f41f9ef9a3d3d6b5d2af9138a55d9be5d35f827e1768c8e1611ecf8fbf47866e
                                  • Instruction ID: fd24d64220c0b1557a7a6311cab30f1960fcea0eae2006dc8e42f4ddc0db2c9b
                                  • Opcode Fuzzy Hash: f41f9ef9a3d3d6b5d2af9138a55d9be5d35f827e1768c8e1611ecf8fbf47866e
                                  • Instruction Fuzzy Hash: FC315E71911219BFDB14DF90ED89EFFB7BCEF08301F0001A9E911E2151DB749E699AA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0025655B
                                  • GetWindowLongW.USER32(010B5490,000000F0), ref: 0025658E
                                  • GetWindowLongW.USER32(010B5490,000000F0), ref: 002565C3
                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002565F5
                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0025661F
                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00256630
                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0025664A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: LongWindow$MessageSend
                                  • String ID:
                                  • API String ID: 2178440468-0
                                  • Opcode ID: d0a9f980f0b76b519ba519ac0f63f8d60bf0a5100f348c8d788a5480bf5d6cbe
                                  • Instruction ID: d1eb51c61747cc905452bd9bef148eaba132999ab54dfb2d992a9bf3d7d666ac
                                  • Opcode Fuzzy Hash: d0a9f980f0b76b519ba519ac0f63f8d60bf0a5100f348c8d788a5480bf5d6cbe
                                  • Instruction Fuzzy Hash: 54311730654211AFDB20CF18EC8CF5537E5FB49352F980169F9118B2B5DB72AC58DB49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00246486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002480A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002480CB
                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002464D9
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002464E8
                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00246521
                                  • connect.WSOCK32(00000000,?,00000010), ref: 0024652A
                                  • WSAGetLastError.WSOCK32 ref: 00246534
                                  • closesocket.WSOCK32(00000000), ref: 0024655D
                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00246576
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                  • String ID:
                                  • API String ID: 910771015-0
                                  • Opcode ID: 8d53e124b45280835537806dd2ccb1282e82b1cdd2aabb7445c8c627f5463a3e
                                  • Instruction ID: 7a9d9e05bc6298d285fb2fff08b0b5ba56a4f78f14116244fe1e0a38a09657a0
                                  • Opcode Fuzzy Hash: 8d53e124b45280835537806dd2ccb1282e82b1cdd2aabb7445c8c627f5463a3e
                                  • Instruction Fuzzy Hash: E931B131620218AFDF14AF24DC8DBBE7BADEB45715F008069F90997291DB74AD14CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0022E0FA
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0022E120
                                  • SysAllocString.OLEAUT32(00000000), ref: 0022E123
                                  • SysAllocString.OLEAUT32 ref: 0022E144
                                  • SysFreeString.OLEAUT32 ref: 0022E14D
                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 0022E167
                                  • SysAllocString.OLEAUT32(?), ref: 0022E175
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                  • String ID:
                                  • API String ID: 3761583154-0
                                  • Opcode ID: 245364b21dc64f4a551b949917132ddf399681c1f51d4c9c21738cba3e2b78d3
                                  • Instruction ID: a80356dfec66429c09513ccd257b279ba1952e16b0a48f871d487c47109fb799
                                  • Opcode Fuzzy Hash: 245364b21dc64f4a551b949917132ddf399681c1f51d4c9c21738cba3e2b78d3
                                  • Instruction Fuzzy Hash: FC216235614219BFDF109FE8EC89CAB77ACEB09760B118135FA19CB2A0DB709C519B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001D1D73
                                    • Part of subcall function 001D1D35: GetStockObject.GDI32(00000011), ref: 001D1D87
                                    • Part of subcall function 001D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001D1D91
                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002578A1
                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002578AE
                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002578B9
                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002578C8
                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002578D4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$CreateObjectStockWindow
                                  • String ID: Msctls_Progress32
                                  • API String ID: 1025951953-3636473452
                                  • Opcode ID: 9284873c2f09f366c332c7f455e29975266725aba71ba22d7ac9680f860b840a
                                  • Instruction ID: 85dabd7fe00af5297dd30bdfcd058cf4dda9ad78b352f403ad46ea8e4fbf3a16
                                  • Opcode Fuzzy Hash: 9284873c2f09f366c332c7f455e29975266725aba71ba22d7ac9680f860b840a
                                  • Instruction Fuzzy Hash: E11182B255021ABFEF159F60DC89EE77F6DEF08768F014115FA14A6090C772AC21DBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,001F4292,?), ref: 001F41E3
                                  • GetProcAddress.KERNEL32(00000000), ref: 001F41EA
                                  • EncodePointer.KERNEL32(00000000), ref: 001F41F6
                                  • DecodePointer.KERNEL32(00000001,001F4292,?), ref: 001F4213
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                  • String ID: RoInitialize$combase.dll
                                  • API String ID: 3489934621-340411864
                                  • Opcode ID: 15d2796185cf434bc2d80dec7a3ce4e74f8ae4d768f6d5a35d06ea7f902aeaa1
                                  • Instruction ID: ee3d19a3264ee15eae87ac7c49bb0955b1fe07fa1c7e41e53241aecc417d73ea
                                  • Opcode Fuzzy Hash: 15d2796185cf434bc2d80dec7a3ce4e74f8ae4d768f6d5a35d06ea7f902aeaa1
                                  • Instruction Fuzzy Hash: 20E01AB06A0740AFEB607BB0FD0DF153AA5BB61743F108475B51AD50E0DBB540D68F04
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001F41B8), ref: 001F42B8
                                  • GetProcAddress.KERNEL32(00000000), ref: 001F42BF
                                  • EncodePointer.KERNEL32(00000000), ref: 001F42CA
                                  • DecodePointer.KERNEL32(001F41B8), ref: 001F42E5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                  • String ID: RoUninitialize$combase.dll
                                  • API String ID: 3489934621-2819208100
                                  • Opcode ID: 199e63213a6d9075d569043f6e512fd1e75b68dfb7f3b6d0c24f7e1451ee175c
                                  • Instruction ID: ae7a3b60a555fe08ce5015ebae9484276cb64a593d89663484930e7386d8c044
                                  • Opcode Fuzzy Hash: 199e63213a6d9075d569043f6e512fd1e75b68dfb7f3b6d0c24f7e1451ee175c
                                  • Instruction Fuzzy Hash: 31E0B678591700EBEB60AB60FE0DF163AA4B724787F104066F149E20B0CBB44595CA18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memmove$__itow__swprintf
                                  • String ID:
                                  • API String ID: 3253778849-0
                                  • Opcode ID: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
                                  • Instruction ID: cb9e8851b6f8edf8301fafb1516551cf972b2c8e9be41d221c111fe986cccf29
                                  • Opcode Fuzzy Hash: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
                                  • Instruction Fuzzy Hash: 4161BD7051065ABBCF15EF20CC86FFE77A8AF14308F04851AF9595B292DB34AD15CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                    • Part of subcall function 002510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00250038,?,?), ref: 002510BC
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00250548
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00250588
                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002505AB
                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002505D4
                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00250617
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00250624
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                  • String ID:
                                  • API String ID: 4046560759-0
                                  • Opcode ID: ffbc86b786200472efcb0cec2ae3cf0f6199b2a0e0301ab1acfc0eab5de8e2b0
                                  • Instruction ID: 92701ebe5533f74213a15c78bc4a380d6d82e7c520f45832ed305424188a1337
                                  • Opcode Fuzzy Hash: ffbc86b786200472efcb0cec2ae3cf0f6199b2a0e0301ab1acfc0eab5de8e2b0
                                  • Instruction Fuzzy Hash: 9F515731118201AFCB14EF64DC85E6EBBE9FF88314F04491EF945872A1EB71E918CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00255A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenu.USER32(?), ref: 00255A82
                                  • GetMenuItemCount.USER32(00000000), ref: 00255AB9
                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00255AE1
                                  • GetMenuItemID.USER32(?,?), ref: 00255B50
                                  • GetSubMenu.USER32(?,?), ref: 00255B5E
                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 00255BAF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountMessagePostString
                                  • String ID:
                                  • API String ID: 650687236-0
                                  • Opcode ID: a6c3ff0f0f25e9d064100cc72fc1fde2d6a93b7fe8eb04b5bca53d65d7ecb15c
                                  • Instruction ID: cb5ca4de4066204f536b3c9158b3c6616197430c7733b0c47ab5e3762174e80e
                                  • Opcode Fuzzy Hash: a6c3ff0f0f25e9d064100cc72fc1fde2d6a93b7fe8eb04b5bca53d65d7ecb15c
                                  • Instruction Fuzzy Hash: 3651B031A10626EFCF14EFA4C855AAEB7B4EF48325F104469FD11B7351CB70AE418B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 0022F3F7
                                  • VariantClear.OLEAUT32(00000013), ref: 0022F469
                                  • VariantClear.OLEAUT32(00000000), ref: 0022F4C4
                                  • _memmove.LIBCMT ref: 0022F4EE
                                  • VariantClear.OLEAUT32(?), ref: 0022F53B
                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0022F569
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Variant$Clear$ChangeInitType_memmove
                                  • String ID:
                                  • API String ID: 1101466143-0
                                  • Opcode ID: b3f13e7c43c2ebc442f827c0c2c2c3cc5d0fb126dfd09b3252cdd81e74491ad8
                                  • Instruction ID: d43af1b619d7b913a0914f5d83f60896b8cc4b5e70444f91870b094c97560e40
                                  • Opcode Fuzzy Hash: b3f13e7c43c2ebc442f827c0c2c2c3cc5d0fb126dfd09b3252cdd81e74491ad8
                                  • Instruction Fuzzy Hash: 7F516CB5A10219EFCB10DF58D884AAAB7B8FF4C314B158169EE59DB300D730E921CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002326F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00232747
                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00232792
                                  • IsMenu.USER32(00000000), ref: 002327B2
                                  • CreatePopupMenu.USER32 ref: 002327E6
                                  • GetMenuItemCount.USER32(000000FF), ref: 00232844
                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00232875
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                  • String ID:
                                  • API String ID: 3311875123-0
                                  • Opcode ID: 161dbfd7bbf5baac25d6ba325f433ea719b3e9c795d9ef80af1c861dba358ada
                                  • Instruction ID: 90dba9feaf82e79cd9c6857f4889a470c113b064897eb88659d4ace0fd1c4e64
                                  • Opcode Fuzzy Hash: 161dbfd7bbf5baac25d6ba325f433ea719b3e9c795d9ef80af1c861dba358ada
                                  • Instruction Fuzzy Hash: 8B51D6B0A20306EFDF25CF68D888BADBBF5FF44314F104569E411AB291D7709969CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D2612: GetWindowLongW.USER32(?,000000EB), ref: 001D2623
                                  • BeginPaint.USER32(?,?,?,?,?,?), ref: 001D179A
                                  • GetWindowRect.USER32(?,?), ref: 001D17FE
                                  • ScreenToClient.USER32(?,?), ref: 001D181B
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001D182C
                                  • EndPaint.USER32(?,?), ref: 001D1876
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                  • String ID:
                                  • API String ID: 1827037458-0
                                  • Opcode ID: cdc85e8c826bc11ae6ee991b22b7c7a573151473f71a05266ae01d77144105a7
                                  • Instruction ID: 03be115f8de7f48cc06bbaff8608ad383936245b2dca00317de3586181dfc38b
                                  • Opcode Fuzzy Hash: cdc85e8c826bc11ae6ee991b22b7c7a573151473f71a05266ae01d77144105a7
                                  • Instruction Fuzzy Hash: B9419171204301BFDB11DF25DC88FBA7BE8FB55724F14066AF9A4872A2C7319845DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(002967B0,00000000,010B5490,?,?,002967B0,?,0025B862,?,?), ref: 0025B9CC
                                  • EnableWindow.USER32(00000000,00000000), ref: 0025B9F0
                                  • ShowWindow.USER32(002967B0,00000000,010B5490,?,?,002967B0,?,0025B862,?,?), ref: 0025BA50
                                  • ShowWindow.USER32(00000000,00000004,?,0025B862,?,?), ref: 0025BA62
                                  • EnableWindow.USER32(00000000,00000001), ref: 0025BA86
                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0025BAA9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$Show$Enable$MessageSend
                                  • String ID:
                                  • API String ID: 642888154-0
                                  • Opcode ID: 496dd0552d792c8408247661f952720c9a0cdddc1d1a1051282be6c3cb8c49bb
                                  • Instruction ID: 950e26fd168ca0c9d7cb3070bc5e16127ee9b261cb6b8878dd19d36e12453145
                                  • Opcode Fuzzy Hash: 496dd0552d792c8408247661f952720c9a0cdddc1d1a1051282be6c3cb8c49bb
                                  • Instruction Fuzzy Hash: 22415330610242AFDB23CF14D589B957BE0BB09312F1841B9FE588F2A2C731A859CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002473B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,00245134,?,?,00000000,00000001), ref: 002473BF
                                    • Part of subcall function 00243C94: GetWindowRect.USER32(?,?), ref: 00243CA7
                                  • GetDesktopWindow.USER32 ref: 002473E9
                                  • GetWindowRect.USER32(00000000), ref: 002473F0
                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00247422
                                    • Part of subcall function 002354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0023555E
                                  • GetCursorPos.USER32(?), ref: 0024744E
                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002474AC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                  • String ID:
                                  • API String ID: 4137160315-0
                                  • Opcode ID: a5f142a06c9a201e82f6cf63ed1b2db94a62c5de7ca5108c205926babb4edb32
                                  • Instruction ID: a0db050347bf6087f8d5dbe93aa9009ffb6b4ae55367ffd187e0d9b694def604
                                  • Opcode Fuzzy Hash: a5f142a06c9a201e82f6cf63ed1b2db94a62c5de7ca5108c205926babb4edb32
                                  • Instruction Fuzzy Hash: 69312572508306AFC724DF14D849FABBBE9FF88304F000929F59897191D770EA18CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002285F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00228608
                                    • Part of subcall function 002285F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00228612
                                    • Part of subcall function 002285F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00228621
                                    • Part of subcall function 002285F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00228628
                                    • Part of subcall function 002285F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0022863E
                                  • GetLengthSid.ADVAPI32(?,00000000,00228977), ref: 00228DAC
                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00228DB8
                                  • HeapAlloc.KERNEL32(00000000), ref: 00228DBF
                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 00228DD8
                                  • GetProcessHeap.KERNEL32(00000000,00000000,00228977), ref: 00228DEC
                                  • HeapFree.KERNEL32(00000000), ref: 00228DF3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                  • String ID:
                                  • API String ID: 3008561057-0
                                  • Opcode ID: b3e08439b17a01a360dd3364c12f1cc6947288e304561343f4dfc9b821d04073
                                  • Instruction ID: fb55a8eec2972e70b9304bbed16418c1049acd9b86e2257e963d69240343891c
                                  • Opcode Fuzzy Hash: b3e08439b17a01a360dd3364c12f1cc6947288e304561343f4dfc9b821d04073
                                  • Instruction Fuzzy Hash: 0311E132522615FFDB509FA4ED08BAE7769EF55316F108069E84593250CB31E918CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00228B2A
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00228B31
                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00228B40
                                  • CloseHandle.KERNEL32(00000004), ref: 00228B4B
                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00228B7A
                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00228B8E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                  • String ID:
                                  • API String ID: 1413079979-0
                                  • Opcode ID: a99731645cba9821d32f99000edc0e55b209a4e492b437c487f69ce2d3a2b7ee
                                  • Instruction ID: 6ed8399a6f118de5e2d88c85672cb440136395c6f56e5918977ddd07ac9cae3a
                                  • Opcode Fuzzy Hash: a99731645cba9821d32f99000edc0e55b209a4e492b437c487f69ce2d3a2b7ee
                                  • Instruction Fuzzy Hash: 96115CB250120ABBDF018FA4ED49FEA7BA9EF08309F044068FE04E2160C775CD60DB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001D134D
                                    • Part of subcall function 001D12F3: SelectObject.GDI32(?,00000000), ref: 001D135C
                                    • Part of subcall function 001D12F3: BeginPath.GDI32(?), ref: 001D1373
                                    • Part of subcall function 001D12F3: SelectObject.GDI32(?,00000000), ref: 001D139C
                                  • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0025C1C4
                                  • LineTo.GDI32(00000000,00000003,?), ref: 0025C1D8
                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0025C1E6
                                  • LineTo.GDI32(00000000,00000000,?), ref: 0025C1F6
                                  • EndPath.GDI32(00000000), ref: 0025C206
                                  • StrokePath.GDI32(00000000), ref: 0025C216
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                  • String ID:
                                  • API String ID: 43455801-0
                                  • Opcode ID: 794b066ef7ec2b3da70690c2377f2b3522a8299e8fd6ae7718e3402768c88c37
                                  • Instruction ID: befd7626e75a2a880f956c014d78445e58364bfbbbeb7fbd1ae630aec2e50b09
                                  • Opcode Fuzzy Hash: 794b066ef7ec2b3da70690c2377f2b3522a8299e8fd6ae7718e3402768c88c37
                                  • Instruction Fuzzy Hash: E0111E7640020DBFDF119F90EC4CEAA7FADFB04355F048021BD18961A1D7729D59DBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 001F03D3
                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 001F03DB
                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 001F03E6
                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 001F03F1
                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 001F03F9
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 001F0401
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Virtual
                                  • String ID:
                                  • API String ID: 4278518827-0
                                  • Opcode ID: 64ae21a251aa2286c3a605aead03339d1a5234ecf271a8811174c6dd5df54bc7
                                  • Instruction ID: c08caabce20178710a88490417f20a337ef2407d3a6025ec9b8a80b4fa348ec9
                                  • Opcode Fuzzy Hash: 64ae21a251aa2286c3a605aead03339d1a5234ecf271a8811174c6dd5df54bc7
                                  • Instruction Fuzzy Hash: F20148B09017597DE3009F5A8C85A52FEA8FF19354F00411BA15847941C7B5A864CBE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0023569B
                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002356B1
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 002356C0
                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002356CF
                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002356D9
                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002356E0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                  • String ID:
                                  • API String ID: 839392675-0
                                  • Opcode ID: 5ee6eb9f37a120cbe7021deb0018a17a41632ec0881a117cee0d8b7439b40984
                                  • Instruction ID: fa76dba16bf844331141218f0254157db1bcdb2533d37997729d50e5846a9c07
                                  • Opcode Fuzzy Hash: 5ee6eb9f37a120cbe7021deb0018a17a41632ec0881a117cee0d8b7439b40984
                                  • Instruction Fuzzy Hash: A6F03631141659BBE7615B52ED0DEEF7F7CEFC6B12F000169FA14D1050D7B15A0186B9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002374D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,?), ref: 002374E5
                                  • EnterCriticalSection.KERNEL32(?,?,001E1044,?,?), ref: 002374F6
                                  • TerminateThread.KERNEL32(00000000,000001F6,?,001E1044,?,?), ref: 00237503
                                  • WaitForSingleObject.KERNEL32(00000000,000003E8,?,001E1044,?,?), ref: 00237510
                                    • Part of subcall function 00236ED7: CloseHandle.KERNEL32(00000000,?,0023751D,?,001E1044,?,?), ref: 00236EE1
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00237523
                                  • LeaveCriticalSection.KERNEL32(?,?,001E1044,?,?), ref: 0023752A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                  • String ID:
                                  • API String ID: 3495660284-0
                                  • Opcode ID: 407d7f801be6632224e00e254b8d56dd8a45adb031f270423319b7e21caf8047
                                  • Instruction ID: 17f6f169da3e159006997d26c9471b45c9f340aebc00d680c05b92ec89d3dd64
                                  • Opcode Fuzzy Hash: 407d7f801be6632224e00e254b8d56dd8a45adb031f270423319b7e21caf8047
                                  • Instruction Fuzzy Hash: 42F05EBA141712EBEB512B64FE8CAEB772AEF45303F400532FA02D14B0CB755811CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00228E7F
                                  • UnloadUserProfile.USERENV(?,?), ref: 00228E8B
                                  • CloseHandle.KERNEL32(?), ref: 00228E94
                                  • CloseHandle.KERNEL32(?), ref: 00228E9C
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00228EA5
                                  • HeapFree.KERNEL32(00000000), ref: 00228EAC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                  • String ID:
                                  • API String ID: 146765662-0
                                  • Opcode ID: 3dc66a2561da1c95ea80e0669abca96bc6a2a7993ccede8eb349ad281c0b4b7a
                                  • Instruction ID: a16af467f6bed3a174685b80dfdaa2677b0f4a2ce0af829c667fe6ce384f29a7
                                  • Opcode Fuzzy Hash: 3dc66a2561da1c95ea80e0669abca96bc6a2a7993ccede8eb349ad281c0b4b7a
                                  • Instruction Fuzzy Hash: 1CE0C236004601FBDA412FE1FE0C90ABB69FB89323B108230F21981470CB32A820DB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00227A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                  Download Yara Rule
                                  APIs
                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00262C7C,?), ref: 00227C32
                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00262C7C,?), ref: 00227C4A
                                  • CLSIDFromProgID.OLE32(?,?,00000000,0025FB80,000000FF,?,00000000,00000800,00000000,?,00262C7C,?), ref: 00227C6F
                                  • _memcmp.LIBCMT ref: 00227C90
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FromProg$FreeTask_memcmp
                                  • String ID: ,,&
                                  • API String ID: 314563124-623544517
                                  • Opcode ID: a27b52a1e08b5f3dbb784fbea2109de6a89fc051740b096e2552234befd24a00
                                  • Instruction ID: f6b3a138fa5ed262b2c605ec2f76a43093e9264796014b71fc2dc4930476067e
                                  • Opcode Fuzzy Hash: a27b52a1e08b5f3dbb784fbea2109de6a89fc051740b096e2552234befd24a00
                                  • Instruction Fuzzy Hash: 10812971A1411AEFCB00DFE4C988EEEB7B9FF89315F204199E505AB250DB71AE05CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00248902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 00248928
                                  • CharUpperBuffW.USER32(?,?), ref: 00248A37
                                  • VariantClear.OLEAUT32(?), ref: 00248BAF
                                    • Part of subcall function 00237804: VariantInit.OLEAUT32(00000000), ref: 00237844
                                    • Part of subcall function 00237804: VariantCopy.OLEAUT32(00000000,?), ref: 0023784D
                                    • Part of subcall function 00237804: VariantClear.OLEAUT32(00000000), ref: 00237859
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                  • API String ID: 4237274167-1221869570
                                  • Opcode ID: bfd1439cb93b3af7d396f2249e56a01f3bbbddacfdcedb4b5e71483528530bd5
                                  • Instruction ID: 9dcb7cb62a571f2d7e35762d2e3dad8b9f665b48ce3a42e4799a3cb19cff22a9
                                  • Opcode Fuzzy Hash: bfd1439cb93b3af7d396f2249e56a01f3bbbddacfdcedb4b5e71483528530bd5
                                  • Instruction Fuzzy Hash: B2918D716287029FC714EF28C48496EBBF4EF99304F04496EF89A8B361DB31E945CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00232F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001EFEC6: _wcscpy.LIBCMT ref: 001EFEE9
                                  • _memset.LIBCMT ref: 00233077
                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002330A6
                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00233159
                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00233187
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                  • String ID: 0
                                  • API String ID: 4152858687-4108050209
                                  • Opcode ID: 3ae9fb95ad23ed8ff0c36a414a4620b7aea4ae14861220468621436d894eb5b6
                                  • Instruction ID: 81901c3feef86c1283e11bddadec8e44d00fd6129748f2a7295bfffddee19192
                                  • Opcode Fuzzy Hash: 3ae9fb95ad23ed8ff0c36a414a4620b7aea4ae14861220468621436d894eb5b6
                                  • Instruction Fuzzy Hash: 0251A3B1638302AAD715DF28D849A6BB7E4EF55360F040A2EF8D9D3191DB70CF648792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00232C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00232CAF
                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00232CCB
                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00232D11
                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00296890,00000000), ref: 00232D5A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$InfoItem_memset
                                  • String ID: 0
                                  • API String ID: 1173514356-4108050209
                                  • Opcode ID: 421831396e4c5ed2fc49d95ce4505d09d5f7f02e0fb067645935c07151d51ace
                                  • Instruction ID: 4d3b177e4666b02c01e80328ec860291abd8bf181e46f2cfda90fbed4a0df753
                                  • Opcode Fuzzy Hash: 421831396e4c5ed2fc49d95ce4505d09d5f7f02e0fb067645935c07151d51ace
                                  • Instruction Fuzzy Hash: C641A0B0214306DFD724DF24D844B1ABBE8EF85720F14461EF96597291DB70E918CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0024DAD9
                                    • Part of subcall function 001D79AB: _memmove.LIBCMT ref: 001D79F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BuffCharLower_memmove
                                  • String ID: cdecl$none$stdcall$winapi
                                  • API String ID: 3425801089-567219261
                                  • Opcode ID: 59e1dc41fe048a9898a79dff859337bd2ecb4f6eb8ce309f180c32050554e1f3
                                  • Instruction ID: d3b6c1afc95e3ba33639ed24233103b9cab37af34dcb2c23958eaf8a36957105
                                  • Opcode Fuzzy Hash: 59e1dc41fe048a9898a79dff859337bd2ecb4f6eb8ce309f180c32050554e1f3
                                  • Instruction Fuzzy Hash: B631B27051061AAFCF14EF94CC809BEB3B4FF15324B108A2AE875A77D1DB71A915CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00229372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                    • Part of subcall function 0022B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0022B0E7
                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002293F6
                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00229409
                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00229439
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$_memmove$ClassName
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 365058703-1403004172
                                  • Opcode ID: 2a18a243b62402a78069fe1c98dbbe7f5d194b2d763766e7239a93d2aed4ff7f
                                  • Instruction ID: b9d450041535f660cdb5aa04ed6af8467577986aa06e9e63278a1eed16ac2a8a
                                  • Opcode Fuzzy Hash: 2a18a243b62402a78069fe1c98dbbe7f5d194b2d763766e7239a93d2aed4ff7f
                                  • Instruction Fuzzy Hash: 8221F371910118BBDB14ABB0EC85CFFB7BCDF55360F14412AF925972E1DB350A5ADA20
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00256656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001D1D73
                                    • Part of subcall function 001D1D35: GetStockObject.GDI32(00000011), ref: 001D1D87
                                    • Part of subcall function 001D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001D1D91
                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002566D0
                                  • LoadLibraryW.KERNEL32(?), ref: 002566D7
                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002566EC
                                  • DestroyWindow.USER32(?), ref: 002566F4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                  • String ID: SysAnimate32
                                  • API String ID: 4146253029-1011021900
                                  • Opcode ID: 757604455e7976e971aaa377f182f75925a1908bc817a8ba47b88cee08e51e4e
                                  • Instruction ID: 63e8b5b90df2b20f14ae40a20a300cdc5f406899d0b87f2e1f23d5e504adb103
                                  • Opcode Fuzzy Hash: 757604455e7976e971aaa377f182f75925a1908bc817a8ba47b88cee08e51e4e
                                  • Instruction Fuzzy Hash: 2A21B071120206BFEF104E64EC88EBB77ADEB19329F900229FD1093190C775CC659B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(0000000C), ref: 0023705E
                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00237091
                                  • GetStdHandle.KERNEL32(0000000C), ref: 002370A3
                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002370DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CreateHandle$FilePipe
                                  • String ID: nul
                                  • API String ID: 4209266947-2873401336
                                  • Opcode ID: 062417948d709c179055cbdc70089667de930b02ba6814b09daf418b4704548d
                                  • Instruction ID: c5cd752cd664aca680b9955f9654cce63a8313474dec6c86a7c438575f1fd8b5
                                  • Opcode Fuzzy Hash: 062417948d709c179055cbdc70089667de930b02ba6814b09daf418b4704548d
                                  • Instruction Fuzzy Hash: F12151F552430AABDF349F68DC09A9A77B8AF54720F208619FCA1D72D0E77098608B50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 0023712B
                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0023715D
                                  • GetStdHandle.KERNEL32(000000F6), ref: 0023716E
                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002371A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CreateHandle$FilePipe
                                  • String ID: nul
                                  • API String ID: 4209266947-2873401336
                                  • Opcode ID: 0eb55f586c2ab5c5a7bb33c775e3e293cf5d0814b9ceffbbaaf3a169e2dfed86
                                  • Instruction ID: 7bd5ec61a521e24fb0f074954fdee3f9b29dca366a3159297470a27e98aeb688
                                  • Opcode Fuzzy Hash: 0eb55f586c2ab5c5a7bb33c775e3e293cf5d0814b9ceffbbaaf3a169e2dfed86
                                  • Instruction Fuzzy Hash: 0E21A4F6514306ABDF309F689C08A9AB7E8AF55720F204619FCE5D72D0D77098618B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0023AEBF
                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0023AF13
                                  • __swprintf.LIBCMT ref: 0023AF2C
                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,0025F910), ref: 0023AF6A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume__swprintf
                                  • String ID: %lu
                                  • API String ID: 3164766367-685833217
                                  • Opcode ID: c210f74bc0be343ebe8fb188ac089952830bafaa4e725fd7c2aa613e59a76649
                                  • Instruction ID: a592f1a5fbc95c7e99c8949135c205d972084d9c950646ce2d1e2b7e18bbd866
                                  • Opcode Fuzzy Hash: c210f74bc0be343ebe8fb188ac089952830bafaa4e725fd7c2aa613e59a76649
                                  • Instruction Fuzzy Hash: 80217171A00209AFCB10EF64DD85DAE7BB8EF89704B004069F909EB351DB72EA51CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                    • Part of subcall function 0022A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0022A399
                                    • Part of subcall function 0022A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0022A3AC
                                    • Part of subcall function 0022A37C: GetCurrentThreadId.KERNEL32 ref: 0022A3B3
                                    • Part of subcall function 0022A37C: AttachThreadInput.USER32(00000000), ref: 0022A3BA
                                  • GetFocus.USER32 ref: 0022A554
                                    • Part of subcall function 0022A3C5: GetParent.USER32(?), ref: 0022A3D3
                                  • GetClassNameW.USER32(?,?,00000100), ref: 0022A59D
                                  • EnumChildWindows.USER32(?,0022A615), ref: 0022A5C5
                                  • __swprintf.LIBCMT ref: 0022A5DF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                  • String ID: %s%d
                                  • API String ID: 1941087503-1110647743
                                  • Opcode ID: 625f00569650a52b93145b9b86734486711402bc386bd9cba56d7f97799ca3b8
                                  • Instruction ID: d78a73a6fafd912236e517a2f18d9c9b1f3172428ce96baed505020c1745b341
                                  • Opcode Fuzzy Hash: 625f00569650a52b93145b9b86734486711402bc386bd9cba56d7f97799ca3b8
                                  • Instruction Fuzzy Hash: 2811DF71610219BBDF10BFA0EC8AFFA377DAF48310F0440B6B908AA192DB7059658B35
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00232017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperBuffW.USER32(?,?), ref: 00232048
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BuffCharUpper
                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                  • API String ID: 3964851224-769500911
                                  • Opcode ID: 90983832fab7bf34df9d0e1020a350517a2eaebdea98df2d266b8a5ff2e922bf
                                  • Instruction ID: 52de499462dc6b4db12bf4b4d8eb40cfa788a6d6652590b3c5d99feb6b70c670
                                  • Opcode Fuzzy Hash: 90983832fab7bf34df9d0e1020a350517a2eaebdea98df2d266b8a5ff2e922bf
                                  • Instruction Fuzzy Hash: 8B118B7492010ACFCF14EFA4D8804FEB3B4FF3A300F108469D855A72A2EB32691ACB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0024EF1B
                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0024EF4B
                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0024F07E
                                  • CloseHandle.KERNEL32(?), ref: 0024F0FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                  • String ID:
                                  • API String ID: 2364364464-0
                                  • Opcode ID: 9b442b362b13367419fd03d9986e3bb442c55e657e3aad8bdb4bdf8db4174e78
                                  • Instruction ID: c14a8f84797bc558923434effd2bd6f09d3c7570a90e1cb741b71a6b5f7f9c7f
                                  • Opcode Fuzzy Hash: 9b442b362b13367419fd03d9986e3bb442c55e657e3aad8bdb4bdf8db4174e78
                                  • Instruction Fuzzy Hash: 25819571610311AFD724DF24C986F2AB7E5AF98720F04885EF599DB392DBB0AC008B51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002502C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                    • Part of subcall function 002510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00250038,?,?), ref: 002510BC
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00250388
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002503C7
                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0025040E
                                  • RegCloseKey.ADVAPI32(?,?), ref: 0025043A
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00250447
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                  • String ID:
                                  • API String ID: 3440857362-0
                                  • Opcode ID: 1fa19f1ff2c009625e41355510e4089c2029bbfb4d1575d386006eea7619fbf0
                                  • Instruction ID: c38074dbe553d9bdb6fba88359f4f100d214d21b057146548c6d8a0c2fbc7e10
                                  • Opcode Fuzzy Hash: 1fa19f1ff2c009625e41355510e4089c2029bbfb4d1575d386006eea7619fbf0
                                  • Instruction Fuzzy Hash: 9C516B31218205AFD704EF64DC85F6EB7E8FF84305F04896EB99587291DB31E918CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0023E88A
                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0023E8B3
                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0023E8F2
                                    • Part of subcall function 001D9997: __itow.LIBCMT ref: 001D99C2
                                    • Part of subcall function 001D9997: __swprintf.LIBCMT ref: 001D9A0C
                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0023E917
                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0023E91F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                  • String ID:
                                  • API String ID: 1389676194-0
                                  • Opcode ID: 140bbb677dc5e6f90ba4e171b00fbc75428db660a27a4b03dff59a0233e36e08
                                  • Instruction ID: 53b4a5dd717a8e3d3ab602487fd85db53824aad6a04b540b75744fddfff255f7
                                  • Opcode Fuzzy Hash: 140bbb677dc5e6f90ba4e171b00fbc75428db660a27a4b03dff59a0233e36e08
                                  • Instruction Fuzzy Hash: CA511975A00215EFCF05EF64C985AAEBBF5EF18314B148099E849AB361CB31ED51DB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aeac3f75ac97871f15c1dbc2ac75d7816a644a74f510beacb6dfd1a7f4a4dfc1
                                  • Instruction ID: 35e831931308a6c462de2c7248f14753e88e2d0c9676c42069a4810fad82835b
                                  • Opcode Fuzzy Hash: aeac3f75ac97871f15c1dbc2ac75d7816a644a74f510beacb6dfd1a7f4a4dfc1
                                  • Instruction Fuzzy Hash: 6D412835920205BFC710DF68DC4AFA9BBA4FB09312F1403A5FC55A72E0D7709D69CA59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 001D2357
                                  • ScreenToClient.USER32(002967B0,?), ref: 001D2374
                                  • GetAsyncKeyState.USER32(00000001), ref: 001D2399
                                  • GetAsyncKeyState.USER32(00000002), ref: 001D23A7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AsyncState$ClientCursorScreen
                                  • String ID:
                                  • API String ID: 4210589936-0
                                  • Opcode ID: 4bac47014554218ba3076892664fd990e219c478f0c4478c6c5b64c68d6a85d1
                                  • Instruction ID: 0bce418b57dfe04d25e52f56416ffa12f59fa908dbcd519112dc893441497447
                                  • Opcode Fuzzy Hash: 4bac47014554218ba3076892664fd990e219c478f0c4478c6c5b64c68d6a85d1
                                  • Instruction Fuzzy Hash: D9419E71514219FFCF159F68C848AE9BB74FB19360F60435AF838922E0C77059A4DF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00226920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0022695D
                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 002269A9
                                  • TranslateMessage.USER32(?), ref: 002269D2
                                  • DispatchMessageW.USER32(?), ref: 002269DC
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002269EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Message$PeekTranslate$AcceleratorDispatch
                                  • String ID:
                                  • API String ID: 2108273632-0
                                  • Opcode ID: 7629f19d5a84b6d1f45572cf948ffdfca526bc7f5bd73a403453cd2b292e772a
                                  • Instruction ID: 0c8e9302601805b49daa109d81f57b3759035e07310076e6e021e9a985833e4b
                                  • Opcode Fuzzy Hash: 7629f19d5a84b6d1f45572cf948ffdfca526bc7f5bd73a403453cd2b292e772a
                                  • Instruction Fuzzy Hash: 1131C732920267BADB60CFF4BC4CBB6BBECAB01304F144166E421D31A1DB74D4A5D790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00228F12
                                  • PostMessageW.USER32(?,00000201,00000001), ref: 00228FBC
                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00228FC4
                                  • PostMessageW.USER32(?,00000202,00000000), ref: 00228FD2
                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00228FDA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessagePostSleep$RectWindow
                                  • String ID:
                                  • API String ID: 3382505437-0
                                  • Opcode ID: 1d6b870711b2576394c69eab646d80b71cb1dfeda514610fb51e910925fa1ca3
                                  • Instruction ID: b36fdf1a8a81185e367a5b0aaf4570f81c526ec86ef2c7c12d3e8e944a9c6c1c
                                  • Opcode Fuzzy Hash: 1d6b870711b2576394c69eab646d80b71cb1dfeda514610fb51e910925fa1ca3
                                  • Instruction Fuzzy Hash: 1D31C271501229EFDB14CFA8EA4CA9E7BB6FB04316F104229F925E71D0C7B0D924DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 0022B6C7
                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0022B6E4
                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0022B71C
                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0022B742
                                  • _wcsstr.LIBCMT ref: 0022B74C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                  • String ID:
                                  • API String ID: 3902887630-0
                                  • Opcode ID: d31478b53316db390d5ab2a624206079d1e5aba4ce0b31dc7cb1d6d3238b15b9
                                  • Instruction ID: c1da32be6c2456287239dc7a4da44ca8c2661815aec38cd3f51daf6dbd5bd148
                                  • Opcode Fuzzy Hash: d31478b53316db390d5ab2a624206079d1e5aba4ce0b31dc7cb1d6d3238b15b9
                                  • Instruction Fuzzy Hash: 98210732214215BBEB265F79AD49E7BBBACDF49720F104039F905CA1A1EF71DC5096A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D2612: GetWindowLongW.USER32(?,000000EB), ref: 001D2623
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0025B44C
                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0025B471
                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0025B489
                                  • GetSystemMetrics.USER32(00000004), ref: 0025B4B2
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00241184,00000000), ref: 0025B4D0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$Long$MetricsSystem
                                  • String ID:
                                  • API String ID: 2294984445-0
                                  • Opcode ID: 24cca8e7171f5c0d90f6e12e2e78052d4a179f80ff26188be032d4a0772dea62
                                  • Instruction ID: b5c8c2d4d4731a6983119df6a4e14b3afa9aeeaf41e686898b3bc02040ddcff9
                                  • Opcode Fuzzy Hash: 24cca8e7171f5c0d90f6e12e2e78052d4a179f80ff26188be032d4a0772dea62
                                  • Instruction Fuzzy Hash: 3321B231930216AFCB219F38DC58A6A7BA4FB05722F114739FD26C71E2E7309824DB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002297E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00229802
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00229834
                                  • __itow.LIBCMT ref: 0022984C
                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00229874
                                  • __itow.LIBCMT ref: 00229885
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$__itow$_memmove
                                  • String ID:
                                  • API String ID: 2983881199-0
                                  • Opcode ID: c7236bbb95818474cd5db174619092af0ab8d8a3588af1be40c203b3a6169d33
                                  • Instruction ID: ba03ec956c88fec953b75a5a23c07b595ed57b2a35394b2c3c05a04d568ab92a
                                  • Opcode Fuzzy Hash: c7236bbb95818474cd5db174619092af0ab8d8a3588af1be40c203b3a6169d33
                                  • Instruction Fuzzy Hash: 7221DD71B10214BBDB10AFA59C8AEEE7BADDF5A720F080035FD04D7291D7709D958792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001D134D
                                  • SelectObject.GDI32(?,00000000), ref: 001D135C
                                  • BeginPath.GDI32(?), ref: 001D1373
                                  • SelectObject.GDI32(?,00000000), ref: 001D139C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$BeginCreatePath
                                  • String ID:
                                  • API String ID: 3225163088-0
                                  • Opcode ID: 3b123a22a9ad73e4f9866dc5869e68ec853c367affb5b29dcf2ff21e13326a19
                                  • Instruction ID: bce12e5f8c574f1463599a7b52eaa6ef3acfd9629bccc6dba888f94688ca81a6
                                  • Opcode Fuzzy Hash: 3b123a22a9ad73e4f9866dc5869e68ec853c367affb5b29dcf2ff21e13326a19
                                  • Instruction Fuzzy Hash: 11213771810308FBDB119F29ED0C7AA7BF8FB10362F148227F814962A0D7719999DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID:
                                  • API String ID: 2931989736-0
                                  • Opcode ID: d5cefdef35f65f9161b6c63ff41facdc3564021a01921ff5d5beb2bdf2d59ade
                                  • Instruction ID: a481657fa5e77b82f634675a754adb0ce3a8863f35afde40cc185d03edcbff20
                                  • Opcode Fuzzy Hash: d5cefdef35f65f9161b6c63ff41facdc3564021a01921ff5d5beb2bdf2d59ade
                                  • Instruction Fuzzy Hash: 2F01B9B1A2852ABBE204A9646C43F7F775C9F313A8F544111FE08D6283E791DE3582E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00234D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00234D5C
                                  • __beginthreadex.LIBCMT ref: 00234D7A
                                  • MessageBoxW.USER32(?,?,?,?), ref: 00234D8F
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00234DA5
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00234DAC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                  • String ID:
                                  • API String ID: 3824534824-0
                                  • Opcode ID: 94df6890308bb9a15c673931ddd2cd022820c79a954661827796fcc2e35a8c52
                                  • Instruction ID: bcbcb1e664a79cebe9021b806bdd94df2913145694c82794b91703248bb7c46d
                                  • Opcode Fuzzy Hash: 94df6890308bb9a15c673931ddd2cd022820c79a954661827796fcc2e35a8c52
                                  • Instruction Fuzzy Hash: 6F11E5B2914659BBC701AFB8AC0CA9B7BACEB45321F1442AAFD14D3250D6718D1087A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00228766
                                  • GetLastError.KERNEL32(?,0022822A,?,?,?), ref: 00228770
                                  • GetProcessHeap.KERNEL32(00000008,?,?,0022822A,?,?,?), ref: 0022877F
                                  • HeapAlloc.KERNEL32(00000000,?,0022822A,?,?,?), ref: 00228786
                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0022879D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                  • String ID:
                                  • API String ID: 842720411-0
                                  • Opcode ID: 0b71b742d208d93ee53fd7304bcdf837b81618f2dbf424fdff15d242b3bc2456
                                  • Instruction ID: 9d227b4e7a8bad0c59b1ee132dd6801e27405dffe98ec7d17e21d3be68ebf0d0
                                  • Opcode Fuzzy Hash: 0b71b742d208d93ee53fd7304bcdf837b81618f2dbf424fdff15d242b3bc2456
                                  • Instruction Fuzzy Hash: 3C014B75212215FFDB204FA6ED8CD6BBBACEF893567200469F849C3260DA31CC20CA60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002354E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00235502
                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00235510
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00235518
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00235522
                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0023555E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                  • String ID:
                                  • API String ID: 2833360925-0
                                  • Opcode ID: ebab6de0923e662aab05747d927a3839f0fb203ae20e17c32f91d7952bdbafc8
                                  • Instruction ID: 865ce5a5d833321507b29b552fe9564ea04a35d49c6b0929f948324d7903e3f6
                                  • Opcode Fuzzy Hash: ebab6de0923e662aab05747d927a3839f0fb203ae20e17c32f91d7952bdbafc8
                                  • Instruction Fuzzy Hash: B1016D71C21A29DBCF00EFE8E94C6EDBB78FB09702F414456E909F2140DB30A660C7A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00227652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0022758C,80070057,?,?,?,0022799D), ref: 0022766F
                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0022758C,80070057,?,?), ref: 0022768A
                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0022758C,80070057,?,?), ref: 00227698
                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0022758C,80070057,?), ref: 002276A8
                                  • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0022758C,80070057,?,?), ref: 002276B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                  • String ID:
                                  • API String ID: 3897988419-0
                                  • Opcode ID: 541151a03f2c57e8b65bd36efe367641ac0457bbca99b87ead69d0e412c74126
                                  • Instruction ID: 0da04dd99d1b1f5672d0577559033d922e0776e682288c12f1f9cfb28c63ff8e
                                  • Opcode Fuzzy Hash: 541151a03f2c57e8b65bd36efe367641ac0457bbca99b87ead69d0e412c74126
                                  • Instruction Fuzzy Hash: A701D472625724BBEB105F98ED0CBAA7BADEB44752F100028FD04D2211E731DD5187A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002285F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00228608
                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00228612
                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00228621
                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00228628
                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0022863E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                  • String ID:
                                  • API String ID: 44706859-0
                                  • Opcode ID: fee647e074e3ca5f6c94e65da83d9cf972f812aac92ac628172f55876eeea0a0
                                  • Instruction ID: 38990ac1e971efae59ab7e38340faf7c5656ea5b7502f26bd2b9bc2ccbcb7c61
                                  • Opcode Fuzzy Hash: fee647e074e3ca5f6c94e65da83d9cf972f812aac92ac628172f55876eeea0a0
                                  • Instruction Fuzzy Hash: 7AF08C34212316BFEB200FA4ED8DE7B3BACEF89755B004025F90982190CA70DC51DA60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00228669
                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00228673
                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00228682
                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00228689
                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0022869F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                  • String ID:
                                  • API String ID: 44706859-0
                                  • Opcode ID: c52558609a7581313d27a23c1ae6a9869879072d43bddf9c3fe1ca699e8b6fa8
                                  • Instruction ID: 05c53ab9cd20d0d3412c751270e8f3b91007467591fc2f1dd75cdf72fa832e69
                                  • Opcode Fuzzy Hash: c52558609a7581313d27a23c1ae6a9869879072d43bddf9c3fe1ca699e8b6fa8
                                  • Instruction Fuzzy Hash: 81F0A970212325BFEB211FA4FC8CE7B3BADEF89756B140029F909C2190CA70D890DA60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003E9), ref: 0022C6BA
                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0022C6D1
                                  • MessageBeep.USER32(00000000), ref: 0022C6E9
                                  • KillTimer.USER32(?,0000040A), ref: 0022C705
                                  • EndDialog.USER32(?,00000001), ref: 0022C71F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                  • String ID:
                                  • API String ID: 3741023627-0
                                  • Opcode ID: c2b6daaee889eec2cbb691f5046bd8af61cf204eafaa0f32a843e8dd16776b33
                                  • Instruction ID: d81dd4e595f92f0e901bcba2c4d933cf05ae18ae56ce0864f8db4f5f4d6e6b07
                                  • Opcode Fuzzy Hash: c2b6daaee889eec2cbb691f5046bd8af61cf204eafaa0f32a843e8dd16776b33
                                  • Instruction Fuzzy Hash: 1B018430410714A7EB206F60FD5EFA6B7BCBB00702F000569B552A14E0DBF069648E44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • EndPath.GDI32(?), ref: 001D13BF
                                  • StrokeAndFillPath.GDI32(?,?,0020BAD8,00000000,?), ref: 001D13DB
                                  • SelectObject.GDI32(?,00000000), ref: 001D13EE
                                  • DeleteObject.GDI32 ref: 001D1401
                                  • StrokePath.GDI32(?), ref: 001D141C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                  • String ID:
                                  • API String ID: 2625713937-0
                                  • Opcode ID: ebf3e4c56ad03947479ca647f47660d91fa5f7bed6ab271614b22a1f5a2fc817
                                  • Instruction ID: e54bc225dcd6881508ebc64955ef9538fa7a2bed4f5cf0ce67a973c132f07d3a
                                  • Opcode Fuzzy Hash: ebf3e4c56ad03947479ca647f47660d91fa5f7bed6ab271614b22a1f5a2fc817
                                  • Instruction Fuzzy Hash: 35F0C430004708FBDB555F26FD0C7583BE4BB01326F08C226E429851F1C7328999DF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001F0FF6: std::exception::exception.LIBCMT ref: 001F102C
                                    • Part of subcall function 001F0FF6: __CxxThrowException@8.LIBCMT ref: 001F1041
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                    • Part of subcall function 001D7BB1: _memmove.LIBCMT ref: 001D7C0B
                                  • __swprintf.LIBCMT ref: 001E302D
                                  Strings
                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 001E2EC6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                  • API String ID: 1943609520-557222456
                                  • Opcode ID: 741d6ed5775640bcefefaef2b500cf65586940940c6f175529b8ebe07e4d8e40
                                  • Instruction ID: 04283767eb393a616b10befc6f5eb7ce2a6ff21308750c788330028e54df686b
                                  • Opcode Fuzzy Hash: 741d6ed5775640bcefefaef2b500cf65586940940c6f175529b8ebe07e4d8e40
                                  • Instruction Fuzzy Hash: 20919C71118741AFC728EF24D889C6FB7E8EFA5740F10091EF496972A1EB20EE45CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleSetContainedObject.OLE32(?,00000001), ref: 0022B981
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ContainedObject
                                  • String ID: AutoIt3GUI$Container$%&
                                  • API String ID: 3565006973-543968683
                                  • Opcode ID: 74d972f8da627642803886ecc09105025a9a778b4a8ca754b554d1702f3471ef
                                  • Instruction ID: 577a80baa110704e4d5630b237c5d7f87ca078504274bdceee2549f24ffc2563
                                  • Opcode Fuzzy Hash: 74d972f8da627642803886ecc09105025a9a778b4a8ca754b554d1702f3471ef
                                  • Instruction Fuzzy Hash: 8E918E74620612AFDB25DF64D884A6AB7F8FF09710F24856EF909CB391DBB0E850CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                  Download Yara Rule
                                  APIs
                                  • __startOneArgErrorHandling.LIBCMT ref: 001F52DD
                                    • Part of subcall function 00200340: __87except.LIBCMT ref: 0020037B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorHandling__87except__start
                                  • String ID: pow
                                  • API String ID: 2905807303-2276729525
                                  • Opcode ID: ff4a7003ef42b5d55bb7374c11bc45ee5550c0372ca03def7d9a0dacd82b6878
                                  • Instruction ID: 8a0d5d41c159b880d7a9b0cf3db10b3c4ddded94c2d1cfe2d93402da8fefb697
                                  • Opcode Fuzzy Hash: ff4a7003ef42b5d55bb7374c11bc45ee5550c0372ca03def7d9a0dacd82b6878
                                  • Instruction Fuzzy Hash: 47519021E2DB0AC7E7157B18E98537E3B95AB00350F208E59E3D5411D7EFB48CE49A45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #$+
                                  • API String ID: 0-2552117581
                                  • Opcode ID: 9878faa3939ec9325dfb661936641bbde692e1cd6bc04415945d574a6e5fbada
                                  • Instruction ID: 428dc36cebb80ffe2ffa2cc02886a8253ff127bc7162210b998182d94688fbda
                                  • Opcode Fuzzy Hash: 9878faa3939ec9325dfb661936641bbde692e1cd6bc04415945d574a6e5fbada
                                  • Instruction Fuzzy Hash: 3951543510466AEFCF16DFA8E488AFA7BA4FF29310F148056FC919B2A1D7349C52C760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memset$_memmove
                                  • String ID: ERCP
                                  • API String ID: 2532777613-1384759551
                                  • Opcode ID: 98f4fb0e818917b122f9945d926631c3d60e1bc0ea1a40f6cd30302978758a24
                                  • Instruction ID: 0ec5c0f5a3d0947668ea29a41fc13e04357b26e992feab199daf01af31ab6cef
                                  • Opcode Fuzzy Hash: 98f4fb0e818917b122f9945d926631c3d60e1bc0ea1a40f6cd30302978758a24
                                  • Instruction Fuzzy Hash: 1C51C271900759DBCB24CF65C881BAEBBF4EF24354F20856EE54AC7281E771A5A0CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00257648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002576D0
                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002576E4
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00257708
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window
                                  • String ID: SysMonthCal32
                                  • API String ID: 2326795674-1439706946
                                  • Opcode ID: 07d5b0ff7eb895156281763bc4d82bb164225a8167bb92af14823425084406c8
                                  • Instruction ID: bb4f360030a66636c6b130a97eb7ff41d0ecbf555ad519cd0cc8cf6f69212530
                                  • Opcode Fuzzy Hash: 07d5b0ff7eb895156281763bc4d82bb164225a8167bb92af14823425084406c8
                                  • Instruction Fuzzy Hash: 0421A132560219BBDF11CFA4DC46FEA3BB9EF48724F110214FE156B1D0D6B1A8648BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00256F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00256FAA
                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00256FBA
                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00256FDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend$MoveWindow
                                  • String ID: Listbox
                                  • API String ID: 3315199576-2633736733
                                  • Opcode ID: 2d055782afaca7ac635cba987e89a9063db47513cd476260fa68884d029beb0e
                                  • Instruction ID: de90cbf3a5a71d9b54d253ac59c6761a28c9cd87d9ddae31597db34da5877e34
                                  • Opcode Fuzzy Hash: 2d055782afaca7ac635cba987e89a9063db47513cd476260fa68884d029beb0e
                                  • Instruction Fuzzy Hash: 10210732A20119BFDF118F54EC88FBB37AAEF89761F418124F9059B190C671AC25CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002579E1
                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002579F6
                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00257A03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: msctls_trackbar32
                                  • API String ID: 3850602802-1010561917
                                  • Opcode ID: f00bdaea94b8b007c18a6bb52ad530183f2f00151239200b7f3855f76c8a7851
                                  • Instruction ID: 42a14305aefd85243bbc7e198a51a3d6a4fa0eadb0ba04dfaa7f0934a4977368
                                  • Opcode Fuzzy Hash: f00bdaea94b8b007c18a6bb52ad530183f2f00151239200b7f3855f76c8a7851
                                  • Instruction Fuzzy Hash: A711E3322A4209BAEF109F70DC09FEB77A9EF89B65F010519FA41A6090D371A821CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,001D4C2E), ref: 001D4CA3
                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001D4CB5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                  • API String ID: 2574300362-192647395
                                  • Opcode ID: ca3ed9fac6256ff244b203a3ef3b0cf098ddf215defc6526f08a7a32539bf351
                                  • Instruction ID: 3d3b5809936090315a320c19819a37d681108e53f52aaece0962e420a58f1cdc
                                  • Opcode Fuzzy Hash: ca3ed9fac6256ff244b203a3ef3b0cf098ddf215defc6526f08a7a32539bf351
                                  • Instruction Fuzzy Hash: 7ED01730520B23CFD7609F31EB18A0676E9AF0A796B11C83A9C8AD6650E770D880CA65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,001D4D2E,?,001D4F4F,?,002962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001D4D6F
                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001D4D81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                  • API String ID: 2574300362-3689287502
                                  • Opcode ID: bd5eb068ef5992d6672013df8e24159d240115d53ab801248b5582b0178f934a
                                  • Instruction ID: 2605298700514d7138021e06eb98ccb974f29c5dc5e2a8cce3ee9d7d7257bfe9
                                  • Opcode Fuzzy Hash: bd5eb068ef5992d6672013df8e24159d240115d53ab801248b5582b0178f934a
                                  • Instruction Fuzzy Hash: E2D01230510B13CFD7205F71D90861676D9AF15352B21C83A989AD6250D774D480CA64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,001D4CE1,?), ref: 001D4DA2
                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001D4DB4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                  • API String ID: 2574300362-1355242751
                                  • Opcode ID: 51e138e25f9527f66ee9161fc7f425c9dc9d4b57055cba5802b689027679b6b9
                                  • Instruction ID: 8e1e7ba5a5541c8a2d5c6e46ae203e0f4e874f23d7ad374bf978cfb6321e910e
                                  • Opcode Fuzzy Hash: 51e138e25f9527f66ee9161fc7f425c9dc9d4b57055cba5802b689027679b6b9
                                  • Instruction Fuzzy Hash: 4FD01731560B13CFD720AF71EA08A4676E5AF1A356B21C83AD8DAD6290E770D880CA64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00251072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,002512C1), ref: 00251080
                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00251092
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                  • API String ID: 2574300362-4033151799
                                  • Opcode ID: 31f54b80589d620df6a3ef599d9369487906948ceec95fd99e0a02edd19d54ae
                                  • Instruction ID: 75c9e3b9baa7e6daf1d71d95c5249c0abe234abe765c261141f974aa173381cf
                                  • Opcode Fuzzy Hash: 31f54b80589d620df6a3ef599d9369487906948ceec95fd99e0a02edd19d54ae
                                  • Instruction Fuzzy Hash: 7BD0EC34520713CFD7206F35D95861676E4AF15392B15C82DAC89D6194D770C4A08754
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002493F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00249009,?,0025F910), ref: 00249403
                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00249415
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetModuleHandleExW$kernel32.dll
                                  • API String ID: 2574300362-199464113
                                  • Opcode ID: ca379e17f193f15a7eb73433a0884076048223105a8ec4dcf1abfb4748bd0df8
                                  • Instruction ID: 088e0a4f9cc9a616001c7c327e64cb7045fbf38838eaf897885c9cc41ad9f999
                                  • Opcode Fuzzy Hash: ca379e17f193f15a7eb73433a0884076048223105a8ec4dcf1abfb4748bd0df8
                                  • Instruction Fuzzy Hash: BAD01734520B13CFD720AF31EA0D60776E5AF06352B11C83AA89AE6590EA70C8D0CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002276C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ffdfdfd2c96b6d7ba4882ffc963b65069d4ae3c73a120e6fdedc2f6b29577e23
                                  • Instruction ID: fd69a6d72e4718d644f9236b7f7eb0a17094dc3ebd100da4555ac5ce0f7a551c
                                  • Opcode Fuzzy Hash: ffdfdfd2c96b6d7ba4882ffc963b65069d4ae3c73a120e6fdedc2f6b29577e23
                                  • Instruction Fuzzy Hash: 4FC18E74A18226EFDB14CFD4D884EAEB7B5FF48710B118599E805EB250D730EE91DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CharLowerBuffW.USER32(?,?), ref: 0024E3D2
                                  • CharLowerBuffW.USER32(?,?), ref: 0024E415
                                    • Part of subcall function 0024DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0024DAD9
                                  • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0024E615
                                  • _memmove.LIBCMT ref: 0024E628
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: BuffCharLower$AllocVirtual_memmove
                                  • String ID:
                                  • API String ID: 3659485706-0
                                  • Opcode ID: f23ef027d6582b5583cd472d0754709ba02f07946eb42daa2c4a341fc2d5a2a7
                                  • Instruction ID: 94d36237236b5e23b27d6f82e9631bde9d4f8c987d0ad0340b5fdcf5e1902859
                                  • Opcode Fuzzy Hash: f23ef027d6582b5583cd472d0754709ba02f07946eb42daa2c4a341fc2d5a2a7
                                  • Instruction Fuzzy Hash: 6FC18C716183119FCB18DF28C480A6ABBE4FF88314F05896EF8999B351D770E905CF82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002483A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 002483D8
                                  • CoUninitialize.OLE32 ref: 002483E3
                                    • Part of subcall function 0022DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0022DAC5
                                  • VariantInit.OLEAUT32(?), ref: 002483EE
                                  • VariantClear.OLEAUT32(?), ref: 002486BF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                  • String ID:
                                  • API String ID: 780911581-0
                                  • Opcode ID: 3c1e1cb2da9c7986b4459042e8511a17df0a24fe6ba5e67b07496e3b854afe53
                                  • Instruction ID: 77dcd9d645ca23f773c0231c3b35e5edd277fa2eb76a326e21b2536856742bdf
                                  • Opcode Fuzzy Hash: 3c1e1cb2da9c7986b4459042e8511a17df0a24fe6ba5e67b07496e3b854afe53
                                  • Instruction Fuzzy Hash: 03A13675224712AFCB18EF14C495B2EB7E4BF98314F054449F99A9B3A2CB70ED50CB86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00226DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Variant$AllocClearCopyInitString
                                  • String ID:
                                  • API String ID: 2808897238-0
                                  • Opcode ID: da88262e6258d99e074a00bcb2ddf9f8c0043b454415dd269369e8736f064cdb
                                  • Instruction ID: fa8ed24b7ff374f3c64c2c3bc84fdd2d5aa556dd8ed608683cadec2865f32791
                                  • Opcode Fuzzy Hash: da88262e6258d99e074a00bcb2ddf9f8c0043b454415dd269369e8736f064cdb
                                  • Instruction Fuzzy Hash: 0951EB31638312BBDB30AFA5F495B3AB3E5AF58310F20881FF556CB691DB7098549B11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00259A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(010BE4A0,?), ref: 00259AD2
                                  • ScreenToClient.USER32(00000002,00000002), ref: 00259B05
                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00259B72
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$ClientMoveRectScreen
                                  • String ID:
                                  • API String ID: 3880355969-0
                                  • Opcode ID: 23c198118444ba067c2c6efaf3ecc1533b165193f0ed36ba93eba371b5364ed7
                                  • Instruction ID: befdca69eb60dbfc180624d8a038ebc6ea18e28d1a9b2669d2fedd366af0eee3
                                  • Opcode Fuzzy Hash: 23c198118444ba067c2c6efaf3ecc1533b165193f0ed36ba93eba371b5364ed7
                                  • Instruction Fuzzy Hash: E4516C34A1020AEFDF10CF68E984AAE7BF9FB44365F148159FC159B290D730AD95CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00246CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00246CE4
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00246CF4
                                    • Part of subcall function 001D9997: __itow.LIBCMT ref: 001D99C2
                                    • Part of subcall function 001D9997: __swprintf.LIBCMT ref: 001D9A0C
                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00246D58
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00246D64
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ErrorLast$__itow__swprintfsocket
                                  • String ID:
                                  • API String ID: 2214342067-0
                                  • Opcode ID: 2db1d3c2a908caeab1ae2c489269db88cf4b0dc15a8eebb1500da29fc137b987
                                  • Instruction ID: c25dd1b7afa39c8a338c461a8404b869815950c1b8a99683c7130074d08447b9
                                  • Opcode Fuzzy Hash: 2db1d3c2a908caeab1ae2c489269db88cf4b0dc15a8eebb1500da29fc137b987
                                  • Instruction Fuzzy Hash: 5641B275740210AFEB24AF24DC8AF3A77E99B18B14F448059FA599F3D2DB719C008B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0025F910), ref: 002467BA
                                  • _strlen.LIBCMT ref: 002467EC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _strlen
                                  • String ID:
                                  • API String ID: 4218353326-0
                                  • Opcode ID: b35a6376c44e02fbeb3f905bd9c7b474f03e29798ade6184980c4fc35f94c32f
                                  • Instruction ID: 0acabb7c908af93e92c7274f5bf52da6d8e695229491e1a5e0cb8e58f28b6894
                                  • Opcode Fuzzy Hash: b35a6376c44e02fbeb3f905bd9c7b474f03e29798ade6184980c4fc35f94c32f
                                  • Instruction Fuzzy Hash: D741C631A10105ABCB18EBA4DCC9FBEB3A9EF55310F148166F8159B392DB70AD15CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0023BB09
                                  • GetLastError.KERNEL32(?,00000000), ref: 0023BB2F
                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0023BB54
                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0023BB80
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                  • String ID:
                                  • API String ID: 3321077145-0
                                  • Opcode ID: 03fce8729abb6e0250de767c5234468ce541ad89a53ce7196bf24eaa08da3fd1
                                  • Instruction ID: 36fd712fd4a526b5a4921a1fd112f2bbe0d97fd1ee9705604a55932c556635e6
                                  • Opcode Fuzzy Hash: 03fce8729abb6e0250de767c5234468ce541ad89a53ce7196bf24eaa08da3fd1
                                  • Instruction Fuzzy Hash: 54413439200A11EFCB15EF14C598A19BBE1EF99324F098499FD4A9B362CB30FD01CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00258AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                  Download Yara Rule
                                  APIs
                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00258B4D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: InvalidateRect
                                  • String ID:
                                  • API String ID: 634782764-0
                                  • Opcode ID: fbf2aedeedd67655175cba0b59cda3a49ad838ea6f94ffdaff34d0178a26fc9c
                                  • Instruction ID: 1ad08fed61a1b5d5610fc9f140485c10374010a700e1b8255dea90318c15b815
                                  • Opcode Fuzzy Hash: fbf2aedeedd67655175cba0b59cda3a49ad838ea6f94ffdaff34d0178a26fc9c
                                  • Instruction Fuzzy Hash: 3D310874620205BFEF209F18DC49FA937A8EB0535AF544512FE51F62A0DFB09D688B49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ClientToScreen.USER32(?,?), ref: 0025AE1A
                                  • GetWindowRect.USER32(?,?), ref: 0025AE90
                                  • PtInRect.USER32(?,?,0025C304), ref: 0025AEA0
                                  • MessageBeep.USER32(00000000), ref: 0025AF11
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Rect$BeepClientMessageScreenWindow
                                  • String ID:
                                  • API String ID: 1352109105-0
                                  • Opcode ID: 3385568a6ea0cc63350716e4d58ce413acb9c239a76aa6ccaf84b4c0da38b9f4
                                  • Instruction ID: ad000aefa21e018eb8e712f0659bf0f3c12fb660cc4aea63696c1778f75be4ae
                                  • Opcode Fuzzy Hash: 3385568a6ea0cc63350716e4d58ce413acb9c239a76aa6ccaf84b4c0da38b9f4
                                  • Instruction Fuzzy Hash: 6841CE7061020ADFCB11CF58D88AA697BF5FB48342F1882B9E8159B250D731A819CF56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00230FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00231037
                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00231053
                                  • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002310B9
                                  • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0023110B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: KeyboardState$InputMessagePostSend
                                  • String ID:
                                  • API String ID: 432972143-0
                                  • Opcode ID: 8a51598d8d58fa4e4d2ff0af6fa04a688999bbc8b147aaba4b963a8fc5a13400
                                  • Instruction ID: 71e7b06c3faebce902926f0f1458b5a8e1110483b6e2c772d4095811e87d82a8
                                  • Opcode Fuzzy Hash: 8a51598d8d58fa4e4d2ff0af6fa04a688999bbc8b147aaba4b963a8fc5a13400
                                  • Instruction Fuzzy Hash: 94317CB0E60689AEFF388F25CC097FDBBA9AB48310F04431AF980521D0C37589F58765
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00231121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00231176
                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00231192
                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 002311F1
                                  • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00231243
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: KeyboardState$InputMessagePostSend
                                  • String ID:
                                  • API String ID: 432972143-0
                                  • Opcode ID: 1d5f899c90e989894aa79bf6f5c41c0aca866d38ad05e92cadb35cc9c9b64c06
                                  • Instruction ID: 6d7eff3fa3e305799193ee4f5bae166782770dfe2335dc958a5c88962399d6e5
                                  • Opcode Fuzzy Hash: 1d5f899c90e989894aa79bf6f5c41c0aca866d38ad05e92cadb35cc9c9b64c06
                                  • Instruction Fuzzy Hash: 2E3158B0A6031D6EFF308E658C097FABBBAAB49310F04431AF6C8921D1C3748A759761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00206415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0020644B
                                  • __isleadbyte_l.LIBCMT ref: 00206479
                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002064A7
                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002064DD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                  • String ID:
                                  • API String ID: 3058430110-0
                                  • Opcode ID: 387e94b63c22784246f305be5b7ecc9e0668f978289251d93e0aeb26ad13cdf6
                                  • Instruction ID: 00303788f57d3d1116586c43159dc75cf16d239239793101907967481c43e0fb
                                  • Opcode Fuzzy Hash: 387e94b63c22784246f305be5b7ecc9e0668f978289251d93e0aeb26ad13cdf6
                                  • Instruction Fuzzy Hash: B231AD3161035AAFDB318F65C889BBA7BB9FF40320F154029E864871E2EB31D870DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00255175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 00255189
                                    • Part of subcall function 0023387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00233897
                                    • Part of subcall function 0023387D: GetCurrentThreadId.KERNEL32 ref: 0023389E
                                    • Part of subcall function 0023387D: AttachThreadInput.USER32(00000000,?,002352A7), ref: 002338A5
                                  • GetCaretPos.USER32(?), ref: 0025519A
                                  • ClientToScreen.USER32(00000000,?), ref: 002551D5
                                  • GetForegroundWindow.USER32 ref: 002551DB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                  • String ID:
                                  • API String ID: 2759813231-0
                                  • Opcode ID: 30f2ef20a3aa04cd62eb036fe92a1694dd33767336d7fa7cac7dd4d8f3181a4a
                                  • Instruction ID: c098aa25c3f37701710027c1a32094569d6b2b1152244f2592b510a66594169c
                                  • Opcode Fuzzy Hash: 30f2ef20a3aa04cd62eb036fe92a1694dd33767336d7fa7cac7dd4d8f3181a4a
                                  • Instruction Fuzzy Hash: AF311072910118AFDB00EFA5D985AEFB7FDEF98304F10406AE515E7241EB759E05CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D2612: GetWindowLongW.USER32(?,000000EB), ref: 001D2623
                                  • GetCursorPos.USER32(?), ref: 0025C7C2
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0020BBFB,?,?,?,?,?), ref: 0025C7D7
                                  • GetCursorPos.USER32(?), ref: 0025C824
                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0020BBFB,?,?,?), ref: 0025C85E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                  • String ID:
                                  • API String ID: 2864067406-0
                                  • Opcode ID: ba7209578f66150fe5959a14f51c81304331df2e6befaace6246fd9fa34c06db
                                  • Instruction ID: aad2ea4b17ee959d875734f2e8dee25cec49fc777223b0ead40556504dd8870a
                                  • Opcode Fuzzy Hash: ba7209578f66150fe5959a14f51c81304331df2e6befaace6246fd9fa34c06db
                                  • Instruction Fuzzy Hash: 4831CE35610218AFCB16CF58D89CEEA7BFAEB09311F144069FD058B261E7319D64DBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00228652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00228669
                                    • Part of subcall function 00228652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00228673
                                    • Part of subcall function 00228652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00228682
                                    • Part of subcall function 00228652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00228689
                                    • Part of subcall function 00228652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0022869F
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00228BEB
                                  • _memcmp.LIBCMT ref: 00228C0E
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00228C44
                                  • HeapFree.KERNEL32(00000000), ref: 00228C4B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                  • String ID:
                                  • API String ID: 1592001646-0
                                  • Opcode ID: 664d881d82a165e651a4a3c43b25036e959d8fe0cecf69e084da8c41cd03cdaf
                                  • Instruction ID: 141e6097f2d1bf4f071b6accbbf8c6991438a33baf4b6c4e64c91f34fdb57437
                                  • Opcode Fuzzy Hash: 664d881d82a165e651a4a3c43b25036e959d8fe0cecf69e084da8c41cd03cdaf
                                  • Instruction Fuzzy Hash: 60219C71E12219FFDB04DFA4D948BEEB7B8EF40355F14405AE554AB240DB30AA16CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • __setmode.LIBCMT ref: 001F0BF2
                                    • Part of subcall function 001D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00237B20,?,?,00000000), ref: 001D5B8C
                                    • Part of subcall function 001D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00237B20,?,?,00000000,?,?), ref: 001D5BB0
                                  • _fprintf.LIBCMT ref: 001F0C29
                                  • OutputDebugStringW.KERNEL32(?), ref: 00226331
                                    • Part of subcall function 001F4CDA: _flsall.LIBCMT ref: 001F4CF3
                                  • __setmode.LIBCMT ref: 001F0C5E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                  • String ID:
                                  • API String ID: 521402451-0
                                  • Opcode ID: 877d907cfc26448c75e9283480e2179787cea04f627cbb41ca05b95678d1c195
                                  • Instruction ID: 2a6c956e43bb623fffdd7a6533f3ba849fdd0a2d1f4b2a8a110620dff3fc403a
                                  • Opcode Fuzzy Hash: 877d907cfc26448c75e9283480e2179787cea04f627cbb41ca05b95678d1c195
                                  • Instruction Fuzzy Hash: CA115672A0420CBBCB09B7B4AC879BF7B6A9F95320F14015AF304972D2DF611D9287A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00241A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00241A97
                                    • Part of subcall function 00241B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00241B40
                                    • Part of subcall function 00241B21: InternetCloseHandle.WININET(00000000), ref: 00241BDD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Internet$CloseConnectHandleOpen
                                  • String ID:
                                  • API String ID: 1463438336-0
                                  • Opcode ID: 5b984e150349b888e0578def680dacfb2831886d924910d141dad76ba01ecbf8
                                  • Instruction ID: 03c988d76965d1961097924df48ac24f7eee4e1427881be5ab002999f62400e0
                                  • Opcode Fuzzy Hash: 5b984e150349b888e0578def680dacfb2831886d924910d141dad76ba01ecbf8
                                  • Instruction Fuzzy Hash: FF21CF31210B01BFDB1A9F609C04FBABBA9FF88705F10001AFA5196650EB71E870DBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0022F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0022E1C4,?,?,?,0022EFB7,00000000,000000EF,00000119,?,?), ref: 0022F5BC
                                    • Part of subcall function 0022F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0022F5E2
                                    • Part of subcall function 0022F5AD: lstrcmpiW.KERNEL32(00000000,?,0022E1C4,?,?,?,0022EFB7,00000000,000000EF,00000119,?,?), ref: 0022F613
                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0022EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0022E1DD
                                  • lstrcpyW.KERNEL32(00000000,?), ref: 0022E203
                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,0022EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0022E237
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: lstrcmpilstrcpylstrlen
                                  • String ID: cdecl
                                  • API String ID: 4031866154-3896280584
                                  • Opcode ID: 6785d189b33b84945e95fffcec49498d2fff1e18f1f35c431fa485b0571f376b
                                  • Instruction ID: 072303c667e91c89d54485613c2f84f8bf450f84aaa81d48b683bf36f20be849
                                  • Opcode Fuzzy Hash: 6785d189b33b84945e95fffcec49498d2fff1e18f1f35c431fa485b0571f376b
                                  • Instruction Fuzzy Hash: 4C11B136110355FFCF25AFB4E84997A77B8FF85310B41812AF806CB2A0EB719861D7A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00205332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00205351
                                    • Part of subcall function 001F594C: __FF_MSGBANNER.LIBCMT ref: 001F5963
                                    • Part of subcall function 001F594C: __NMSG_WRITE.LIBCMT ref: 001F596A
                                    • Part of subcall function 001F594C: RtlAllocateHeap.NTDLL(010A0000,00000000,00000001,00000000,?,?,?,001F1013,?), ref: 001F598F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: AllocateHeap_free
                                  • String ID:
                                  • API String ID: 614378929-0
                                  • Opcode ID: d1f50ccc0164ea470d4330393ed47a8065d28bdba07667a0ed31dba352d33e26
                                  • Instruction ID: 9ec437d6d08c1f814bad9abec5a4401e149399a8ec2bc80070f760825d76afb5
                                  • Opcode Fuzzy Hash: d1f50ccc0164ea470d4330393ed47a8065d28bdba07667a0ed31dba352d33e26
                                  • Instruction Fuzzy Hash: 3B11CA32515B2AAFDB313F70BC4967F3798AF203E0F1044AAFA45961D2DFB589518B50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 001D4560
                                    • Part of subcall function 001D410D: _memset.LIBCMT ref: 001D418D
                                    • Part of subcall function 001D410D: _wcscpy.LIBCMT ref: 001D41E1
                                    • Part of subcall function 001D410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001D41F1
                                  • KillTimer.USER32(?,00000001,?,?), ref: 001D45B5
                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001D45C4
                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0020D6CE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                  • String ID:
                                  • API String ID: 1378193009-0
                                  • Opcode ID: 84d619790c977c7f4d61a362469e974a84fa8ad4c3bf3684b7bf5083b44030a1
                                  • Instruction ID: 4635090c3e86ef910d6bc68846b7e64ae0651638d93bd1cd81c22affe510bb12
                                  • Opcode Fuzzy Hash: 84d619790c977c7f4d61a362469e974a84fa8ad4c3bf3684b7bf5083b44030a1
                                  • Instruction Fuzzy Hash: 8321F370905784AFEB328B64EC49BF7BBEC9F11308F04009EE69E56282C7B55A84CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002340B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002340D1
                                  • _memset.LIBCMT ref: 002340F2
                                  • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00234144
                                  • CloseHandle.KERNEL32(00000000), ref: 0023414D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CloseControlCreateDeviceFileHandle_memset
                                  • String ID:
                                  • API String ID: 1157408455-0
                                  • Opcode ID: f7fa9ea9b2d0ea1ce06a2c72bed009f94e82aacff042ba5aa5e6670861c9e601
                                  • Instruction ID: 7b993aa2a670c57004c601bdc4cafc3a9eb2eac027912832a33c02dd4a7a7ba6
                                  • Opcode Fuzzy Hash: f7fa9ea9b2d0ea1ce06a2c72bed009f94e82aacff042ba5aa5e6670861c9e601
                                  • Instruction Fuzzy Hash: 8911EBB59113287AD7305BA5AC4DFABBB7CEF44760F1041D6F908D7180D6744E808BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00237B20,?,?,00000000), ref: 001D5B8C
                                    • Part of subcall function 001D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00237B20,?,?,00000000,?,?), ref: 001D5BB0
                                  • gethostbyname.WSOCK32(?,?,?), ref: 002466AC
                                  • WSAGetLastError.WSOCK32(00000000), ref: 002466B7
                                  • _memmove.LIBCMT ref: 002466E4
                                  • inet_ntoa.WSOCK32(?), ref: 002466EF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                  • String ID:
                                  • API String ID: 1504782959-0
                                  • Opcode ID: 76a6a71011dc017abf939abee09dca9f118c505b272ced6060c2cab3e4fe83b2
                                  • Instruction ID: 1c14710a224df5e90e354995bebf5e44edfb6476c6798ab3116e6150e08d41b7
                                  • Opcode Fuzzy Hash: 76a6a71011dc017abf939abee09dca9f118c505b272ced6060c2cab3e4fe83b2
                                  • Instruction Fuzzy Hash: D911B236510509AFCB04FFA0DD8ADEEB7B9EF54310B044026F502A7261DF31AE14CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00229023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00229043
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00229055
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0022906B
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00229086
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: f72fb008de51f77c23f5524e48bd0d3ffb855d7a5da824e7c0b1d13e0bf10753
                                  • Instruction ID: 014f5c402630832586b62440e57f1a0f90b4ee23d7f46f18cf94f455736b96cc
                                  • Opcode Fuzzy Hash: f72fb008de51f77c23f5524e48bd0d3ffb855d7a5da824e7c0b1d13e0bf10753
                                  • Instruction Fuzzy Hash: C4114C79900218FFEB10DFA5C984E9DBBB8FB48710F2040A5EA04B7250D6726E50DB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D2612: GetWindowLongW.USER32(?,000000EB), ref: 001D2623
                                  • DefDlgProcW.USER32(?,00000020,?), ref: 001D12D8
                                  • GetClientRect.USER32(?,?), ref: 0020B84B
                                  • GetCursorPos.USER32(?), ref: 0020B855
                                  • ScreenToClient.USER32(?,?), ref: 0020B860
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Client$CursorLongProcRectScreenWindow
                                  • String ID:
                                  • API String ID: 4127811313-0
                                  • Opcode ID: 483c2dc7ebf57f9e46e840f0adf1b97713c5dbd2e04b6d2607e3888db021f6fc
                                  • Instruction ID: f315a239823bf51a6d0ce660f2c48bdfc9c2325de022041b2f1af7d69bb9a568
                                  • Opcode Fuzzy Hash: 483c2dc7ebf57f9e46e840f0adf1b97713c5dbd2e04b6d2607e3888db021f6fc
                                  • Instruction Fuzzy Hash: 17118835A00119BFCB00EFA8E8899FE77B9FB05301F600456F911E3250D731BA518BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00231652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002301FD,?,00231250,?,00008000), ref: 0023166F
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,002301FD,?,00231250,?,00008000), ref: 00231694
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002301FD,?,00231250,?,00008000), ref: 0023169E
                                  • Sleep.KERNEL32(?,?,?,?,?,?,?,002301FD,?,00231250,?,00008000), ref: 002316D1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CounterPerformanceQuerySleep
                                  • String ID:
                                  • API String ID: 2875609808-0
                                  • Opcode ID: 02406ba5f360e39a777c6abb42e82ec62b6c02861db0e5645694a15e0edb15ec
                                  • Instruction ID: bc08c563d1e8f06ab2ec098dabe0d3170583cb19a028dc229ad7cae9dfe57c9d
                                  • Opcode Fuzzy Hash: 02406ba5f360e39a777c6abb42e82ec62b6c02861db0e5645694a15e0edb15ec
                                  • Instruction Fuzzy Hash: EB115A71C21A1DD7CF00AFE6E94AAEEBB7CFF09702F04405AE944B2240CB7055708B96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00207207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                  • String ID:
                                  • API String ID: 3016257755-0
                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                  • Instruction ID: e4634f77801b42d62fd3cce89424d0dc8e1470aa03c73188f1807605d4a5b51e
                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                  • Instruction Fuzzy Hash: 5C014E3686424EBFCF525E84CC418EE3F62BF59351F588515FE1858072D236E9B1AB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 0025B59E
                                  • ScreenToClient.USER32(?,?), ref: 0025B5B6
                                  • ScreenToClient.USER32(?,?), ref: 0025B5DA
                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0025B5F5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ClientRectScreen$InvalidateWindow
                                  • String ID:
                                  • API String ID: 357397906-0
                                  • Opcode ID: 4339b7e2402c1595f0b1e7c2aee8fa5084a7e5bdf4406ac337f81f5eeea93290
                                  • Instruction ID: 05617fa94df8746010843948e22a56c1f4256b88ef86c37bca0508d8d39c9605
                                  • Opcode Fuzzy Hash: 4339b7e2402c1595f0b1e7c2aee8fa5084a7e5bdf4406ac337f81f5eeea93290
                                  • Instruction Fuzzy Hash: 371146B5D00209EFDB41CF99D5449EEFBB9FB08311F504166E914E3220D735AA658F54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 0025B8FE
                                  • _memset.LIBCMT ref: 0025B90D
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00297F20,00297F64), ref: 0025B93C
                                  • CloseHandle.KERNEL32 ref: 0025B94E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _memset$CloseCreateHandleProcess
                                  • String ID:
                                  • API String ID: 3277943733-0
                                  • Opcode ID: 1db86ed949dae90f4f546abf0eee750591ae28fb565525113a006ec81c0ab9c2
                                  • Instruction ID: f0613483c998537dd3b859f0b77daf80745b829545c44b9fa819563cc5d5529a
                                  • Opcode Fuzzy Hash: 1db86ed949dae90f4f546abf0eee750591ae28fb565525113a006ec81c0ab9c2
                                  • Instruction Fuzzy Hash: 7DF082F25643047BF6102B61BC0DFBB3A5CEB19355F000072BB08E55A2D7718D1087AC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00236E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.KERNEL32(?), ref: 00236E88
                                    • Part of subcall function 0023794E: _memset.LIBCMT ref: 00237983
                                  • _memmove.LIBCMT ref: 00236EAB
                                  • _memset.LIBCMT ref: 00236EB8
                                  • LeaveCriticalSection.KERNEL32(?), ref: 00236EC8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CriticalSection_memset$EnterLeave_memmove
                                  • String ID:
                                  • API String ID: 48991266-0
                                  • Opcode ID: 7c4127e6c55fc605856c219f14683e839f6fd589d440b725b2e36ad969de3f78
                                  • Instruction ID: 67cff9023f8bcb3611b524f250161c6730927f50fa3baa6673f5d5e05a55f004
                                  • Opcode Fuzzy Hash: 7c4127e6c55fc605856c219f14683e839f6fd589d440b725b2e36ad969de3f78
                                  • Instruction Fuzzy Hash: C3F0547A200204BBCF416F55EC85B5ABB29EF45321F048061FE089E216CB31E911CBB4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001D134D
                                    • Part of subcall function 001D12F3: SelectObject.GDI32(?,00000000), ref: 001D135C
                                    • Part of subcall function 001D12F3: BeginPath.GDI32(?), ref: 001D1373
                                    • Part of subcall function 001D12F3: SelectObject.GDI32(?,00000000), ref: 001D139C
                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0025C030
                                  • LineTo.GDI32(00000000,?,?), ref: 0025C03D
                                  • EndPath.GDI32(00000000), ref: 0025C04D
                                  • StrokePath.GDI32(00000000), ref: 0025C05B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                  • String ID:
                                  • API String ID: 1539411459-0
                                  • Opcode ID: a1ea8caa92fc895021935c67ecd0ffd605003689e7a6cad53c651244fef9ad43
                                  • Instruction ID: b0c28a2d9d87f37c5b81b1b6e7e76ce8740cea34f19b204d4966949c5e446bfe
                                  • Opcode Fuzzy Hash: a1ea8caa92fc895021935c67ecd0ffd605003689e7a6cad53c651244fef9ad43
                                  • Instruction Fuzzy Hash: 4DF05E32001369BBDB126F55BD0DFDE3F99AF05312F184001FA11610E287765669CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0022A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0022A399
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0022A3AC
                                  • GetCurrentThreadId.KERNEL32 ref: 0022A3B3
                                  • AttachThreadInput.USER32(00000000), ref: 0022A3BA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                  • String ID:
                                  • API String ID: 2710830443-0
                                  • Opcode ID: cddb6f70356cbdb99f94c2ceb1a2543863687e1503cfd847b013cc2909df38cd
                                  • Instruction ID: 61e91dba4d463d267de166befc7b003592cbdb0f9aeac0d409eac143b6ab20a4
                                  • Opcode Fuzzy Hash: cddb6f70356cbdb99f94c2ceb1a2543863687e1503cfd847b013cc2909df38cd
                                  • Instruction Fuzzy Hash: A5E03931141338BBDB205FA2ED0CED73F1CEF167A2F008024F50985460C6758550CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(00000008), ref: 001D2231
                                  • SetTextColor.GDI32(?,000000FF), ref: 001D223B
                                  • SetBkMode.GDI32(?,00000001), ref: 001D2250
                                  • GetStockObject.GDI32(00000005), ref: 001D2258
                                  • GetWindowDC.USER32(?,00000000), ref: 0020C0D3
                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0020C0E0
                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0020C0F9
                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0020C112
                                  • GetPixel.GDI32(00000000,?,?), ref: 0020C132
                                  • ReleaseDC.USER32(?,00000000), ref: 0020C13D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                  • String ID:
                                  • API String ID: 1946975507-0
                                  • Opcode ID: 80e18ad8822cbe1d85159260cb238884e8218d0f3cf35588f2708e5a27a89e74
                                  • Instruction ID: 009b42839c65b0d9316b6f8d606fe920519123b61ae3e5359d6cda18db109508
                                  • Opcode Fuzzy Hash: 80e18ad8822cbe1d85159260cb238884e8218d0f3cf35588f2708e5a27a89e74
                                  • Instruction Fuzzy Hash: 4DE03932100745EADB615F64FD0DBD87B11EB15332F108366FAAD480E287718990DB11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00228C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThread.KERNEL32 ref: 00228C63
                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,0022882E), ref: 00228C6A
                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0022882E), ref: 00228C77
                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,0022882E), ref: 00228C7E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CurrentOpenProcessThreadToken
                                  • String ID:
                                  • API String ID: 3974789173-0
                                  • Opcode ID: ee574eee852e8861641d917633b752deca64f73b3ad5f08100916e3e09505798
                                  • Instruction ID: 7884ea0e5a81080ba49732ae66db055865b950cb63babf0e0c02be66a3e03e92
                                  • Opcode Fuzzy Hash: ee574eee852e8861641d917633b752deca64f73b3ad5f08100916e3e09505798
                                  • Instruction Fuzzy Hash: 95E04F76656321ABD7A05FB07E0CB573BA8AF50793F084828A645CA080DA3488518B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00212187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDesktopWindow.USER32 ref: 00212187
                                  • GetDC.USER32(00000000), ref: 00212191
                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002121B1
                                  • ReleaseDC.USER32(?), ref: 002121D2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CapsDesktopDeviceReleaseWindow
                                  • String ID:
                                  • API String ID: 2889604237-0
                                  • Opcode ID: 04380fffa7ea47d7262ba434a5c671256fe52dbd582b88e9070dd743169b6168
                                  • Instruction ID: da76143b522afe0ba43c793afbd20ffb87df4b5d225bb8b636f5d158dc7a20f7
                                  • Opcode Fuzzy Hash: 04380fffa7ea47d7262ba434a5c671256fe52dbd582b88e9070dd743169b6168
                                  • Instruction Fuzzy Hash: 6BE0E575800214EFDB819F60E94CA9D7BF5EB5C352F118426F96A97260DB7881419F44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0021219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDesktopWindow.USER32 ref: 0021219B
                                  • GetDC.USER32(00000000), ref: 002121A5
                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 002121B1
                                  • ReleaseDC.USER32(?), ref: 002121D2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CapsDesktopDeviceReleaseWindow
                                  • String ID:
                                  • API String ID: 2889604237-0
                                  • Opcode ID: 2e54e95d0830ee04cdcc48d911ef29ba78dc5ebb06ab168529668d7fab378aec
                                  • Instruction ID: fe3781c294d50959503cf48e8668d0573a8ed28a308bfcdd0de48e57115782bd
                                  • Opcode Fuzzy Hash: 2e54e95d0830ee04cdcc48d911ef29ba78dc5ebb06ab168529668d7fab378aec
                                  • Instruction Fuzzy Hash: 01E0E575800214AFCB819F60E94C69D7BA5AB5C312F118425F96A97260DB3891419F44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001D63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %&
                                  • API String ID: 0-3738157446
                                  • Opcode ID: 6be6e9b5231731414c7cdfbce051a25ed5c96468a262e664d64cf2f17ab89233
                                  • Instruction ID: 045d1fefd43bed82b74210e415cc6c83a1853576ca1d31b7ff32235f95204fb3
                                  • Opcode Fuzzy Hash: 6be6e9b5231731414c7cdfbce051a25ed5c96468a262e664d64cf2f17ab89233
                                  • Instruction Fuzzy Hash: C3B1CE7190020A9BCF24EF98C8919FEBBB5FF54350F554127E902A7395EB349E82CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0024B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __itow_s
                                  • String ID: xr)$xr)
                                  • API String ID: 3653519197-3805880852
                                  • Opcode ID: 45a989ad1b799181f4ad2bd50a62b0688b7f62d0e754b700b1280c41cb9f00a9
                                  • Instruction ID: c26c4e59cc20df55e71289f286f1cfecacc03e2739b1ef3c2a5a64fad64172e3
                                  • Opcode Fuzzy Hash: 45a989ad1b799181f4ad2bd50a62b0688b7f62d0e754b700b1280c41cb9f00a9
                                  • Instruction Fuzzy Hash: 32B18170A1010AAFDF19DF54C890EBEBBB9FF58300F14845AF9459B292EB70E951CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0023B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001EFEC6: _wcscpy.LIBCMT ref: 001EFEE9
                                    • Part of subcall function 001D9997: __itow.LIBCMT ref: 001D99C2
                                    • Part of subcall function 001D9997: __swprintf.LIBCMT ref: 001D9A0C
                                  • __wcsnicmp.LIBCMT ref: 0023B298
                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0023B361
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                  • String ID: LPT
                                  • API String ID: 3222508074-1350329615
                                  • Opcode ID: 77fc8ceb0bd15c96c4d7e39fc90906ce1f1bb1ad50572d6b3d6aa11aa3b58af9
                                  • Instruction ID: 55ab6f78dc04247f4a3912598fdca632e665d9fbbc90fa51f203fa65d9b11014
                                  • Opcode Fuzzy Hash: 77fc8ceb0bd15c96c4d7e39fc90906ce1f1bb1ad50572d6b3d6aa11aa3b58af9
                                  • Instruction Fuzzy Hash: 5561C6B6A10215EFCB15DF94C895EAEB7B4EF18310F11409EFA06AB391DB70AE50CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 001E2AC8
                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 001E2AE1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: GlobalMemorySleepStatus
                                  • String ID: @
                                  • API String ID: 2783356886-2766056989
                                  • Opcode ID: fd7c2e0201086399f994479ba30ac80b37120fda1b0d7a96336e1f7bef4a36f8
                                  • Instruction ID: 00ce4eaf85680a9bd4825a2150f23870a5bd34e65a0088a6188759078b5e08d1
                                  • Opcode Fuzzy Hash: fd7c2e0201086399f994479ba30ac80b37120fda1b0d7a96336e1f7bef4a36f8
                                  • Instruction Fuzzy Hash: 655148724187549BD320AF10EC86BAFBBECFF95314F42885EF1D9511A1DB308969CB26
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002399BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D506B: __fread_nolock.LIBCMT ref: 001D5089
                                  • _wcscmp.LIBCMT ref: 00239AAE
                                  • _wcscmp.LIBCMT ref: 00239AC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: _wcscmp$__fread_nolock
                                  • String ID: FILE
                                  • API String ID: 4029003684-3121273764
                                  • Opcode ID: 0e9a1ee2eb0ab96f91b1a054b81a27cd50e74d2666fc460260c3b8733fe9663f
                                  • Instruction ID: 70223dc1d6723dfa2b9ca168514f8ccfe78993c0e9aafd7a6959fc2b8d2cec94
                                  • Opcode Fuzzy Hash: 0e9a1ee2eb0ab96f91b1a054b81a27cd50e74d2666fc460260c3b8733fe9663f
                                  • Instruction Fuzzy Hash: 09410CB1A106097BDF109EA4CC45FEFBBBEDF55714F10006AF900A7181D7B59954CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0021099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID: Dt)$Dt)
                                  • API String ID: 1473721057-543733085
                                  • Opcode ID: 4016dd99ca16fb878b1794c074ba0398f31c3f15730249f1f1a7c2723a62ed6c
                                  • Instruction ID: 7f064eff83a638ab8ce18a8cdac5348dfe738bbb9e7ea7674dec92767ce0ec3b
                                  • Opcode Fuzzy Hash: 4016dd99ca16fb878b1794c074ba0398f31c3f15730249f1f1a7c2723a62ed6c
                                  • Instruction Fuzzy Hash: B451F5786183429FC754CF19C084A6ABBF2BF99344F94885EF9858B321D771EC81CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00242882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00242892
                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002428C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CrackInternet_memset
                                  • String ID: |
                                  • API String ID: 1413715105-2343686810
                                  • Opcode ID: d28d282a9a545c7a8adc3b76d5615ba7e025c2f79481bdae439fdd5c2f502008
                                  • Instruction ID: f6d8fa4cc9f6ce6bb90321b0e3c1c2b58776112e6077eb8fa2ea28a63aa9081b
                                  • Opcode Fuzzy Hash: d28d282a9a545c7a8adc3b76d5615ba7e025c2f79481bdae439fdd5c2f502008
                                  • Instruction Fuzzy Hash: 6F311A71810119EFCF05AFA1DC85EEEBFB9FF18350F10402AF815A6266EB315A56DB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00256CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(?,?,?,?), ref: 00256D86
                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00256DC2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$DestroyMove
                                  • String ID: static
                                  • API String ID: 2139405536-2160076837
                                  • Opcode ID: cba0b7a870b090ea47461b255210de3dc7003e74fef7fea2c49ce1e55253bd7c
                                  • Instruction ID: 2646c86ac3efbf850dc103dcdfd03562df7d5c42821ddcf1c55dca87a7b5864f
                                  • Opcode Fuzzy Hash: cba0b7a870b090ea47461b255210de3dc7003e74fef7fea2c49ce1e55253bd7c
                                  • Instruction Fuzzy Hash: B8319E71220605AADB109F64CC88BFB77B9FF48721F508619FCA587190DB31ACA5CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00232D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00232E00
                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00232E3B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: InfoItemMenu_memset
                                  • String ID: 0
                                  • API String ID: 2223754486-4108050209
                                  • Opcode ID: 6015e2b237930b846cdf99a767b756494541beb7582ffcbb4343b102acd8437f
                                  • Instruction ID: e15dd2d4573eb97ce884a3e2a3d0b04c8a4c19384b04b2dffdd9c42b42c2dd58
                                  • Opcode Fuzzy Hash: 6015e2b237930b846cdf99a767b756494541beb7582ffcbb4343b102acd8437f
                                  • Instruction Fuzzy Hash: 9D31E9B1A1030AEBEB248F58D8467AEBBF9FF05350F14042AE985A61A1D770A958CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00256943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002569D0
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002569DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Combobox
                                  • API String ID: 3850602802-2096851135
                                  • Opcode ID: 3898e299446b57c267d3a66446c4fd6ba95918bc11d74c279a1f98cc5b313695
                                  • Instruction ID: 5465e4cc3086022597adbadf58a2a8b566557092e86b0a122a2feae0a742bbb8
                                  • Opcode Fuzzy Hash: 3898e299446b57c267d3a66446c4fd6ba95918bc11d74c279a1f98cc5b313695
                                  • Instruction Fuzzy Hash: 1C11387132020A7FEF118F14CC88EFB376EEB893A5F500124FD5897290C6319C658BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00256E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001D1D73
                                    • Part of subcall function 001D1D35: GetStockObject.GDI32(00000011), ref: 001D1D87
                                    • Part of subcall function 001D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001D1D91
                                  • GetWindowRect.USER32(00000000,?), ref: 00256EE0
                                  • GetSysColor.USER32(00000012), ref: 00256EFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                  • String ID: static
                                  • API String ID: 1983116058-2160076837
                                  • Opcode ID: 9da4786ea9a19fb6ad0e9e0c445726362ea67785f42927d0055024ce3db5e938
                                  • Instruction ID: babddd96e72e2bf5d195f5f4dd8ddda78552f4594f7afef1fdc3e222ac4e413c
                                  • Opcode Fuzzy Hash: 9da4786ea9a19fb6ad0e9e0c445726362ea67785f42927d0055024ce3db5e938
                                  • Instruction Fuzzy Hash: 8E215972A2020AAFDB04DFA8DD49EFA7BB8FB08315F004629FD55D3250E734E8659B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00256B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowTextLengthW.USER32(00000000), ref: 00256C11
                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00256C20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: LengthMessageSendTextWindow
                                  • String ID: edit
                                  • API String ID: 2978978980-2167791130
                                  • Opcode ID: 695507b90aeaf73f44b2ed42d27505f425e8cfb7c2aa65e6dc2d88b38c4bba99
                                  • Instruction ID: 17ce58231ce214521aaa2df335d5490dcf511a6d1203078a9cb4d615b1e577d0
                                  • Opcode Fuzzy Hash: 695507b90aeaf73f44b2ed42d27505f425e8cfb7c2aa65e6dc2d88b38c4bba99
                                  • Instruction Fuzzy Hash: 5711E271120209ABEF104E64DC49AE73769EB0437AF900724FD60E71D0C771DCA49B18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00232E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00232F11
                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00232F30
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: InfoItemMenu_memset
                                  • String ID: 0
                                  • API String ID: 2223754486-4108050209
                                  • Opcode ID: 996a60e002db68483529cce3d0d9815b24e8e4493d37b18eff1e8df2db6ebe4f
                                  • Instruction ID: 13718cabce23b89cc2d9b7fc745710a1da8bb96387b6f037f6f1299bf2133924
                                  • Opcode Fuzzy Hash: 996a60e002db68483529cce3d0d9815b24e8e4493d37b18eff1e8df2db6ebe4f
                                  • Instruction Fuzzy Hash: EE11E2B1A21215EBCB21DF58DC49BA973B9FB01350F0400A2EC54A72A0D7B0EE2CC791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002424CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00242520
                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00242549
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Internet$OpenOption
                                  • String ID: <local>
                                  • API String ID: 942729171-4266983199
                                  • Opcode ID: d8c3ee158b5b94a6906067cb3d649e68cfbe4528cf966e4430e3d35f4fc559d2
                                  • Instruction ID: 2cb75ced2dcdb7739df65ff802f7388e8c8bf78c6d47abb2f0fd8536f9e2b454
                                  • Opcode Fuzzy Hash: d8c3ee158b5b94a6906067cb3d649e68cfbe4528cf966e4430e3d35f4fc559d2
                                  • Instruction Fuzzy Hash: F5110670521226FADB2C9F528C98EBBFF6CFF06351F90812AF50543040D2B06968DAF0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002480A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,002480C8,?,00000000,?,?), ref: 00248322
                                  • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002480CB
                                  • htons.WSOCK32(00000000,?,00000000), ref: 00248108
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWidehtonsinet_addr
                                  • String ID: 255.255.255.255
                                  • API String ID: 2496851823-2422070025
                                  • Opcode ID: c64c6ab2b3e4f0a7efd9c426d29c7d0b55cbdbc4544bbafb6268284556c2d956
                                  • Instruction ID: 903a5e55a80fa304eee877614ab7db7ab9791575300f427c8f7858cc75b2b74e
                                  • Opcode Fuzzy Hash: c64c6ab2b3e4f0a7efd9c426d29c7d0b55cbdbc4544bbafb6268284556c2d956
                                  • Instruction Fuzzy Hash: 4D11E134620306ABDB24AFA4DC46FBDB734FF04320F108567EA159B291DB72A821CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001E0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001D3C26,002962F8,?,?,?), ref: 001E0ACE
                                    • Part of subcall function 001D7D2C: _memmove.LIBCMT ref: 001D7D66
                                  • _wcscat.LIBCMT ref: 002150E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: FullNamePath_memmove_wcscat
                                  • String ID: c)
                                  • API String ID: 257928180-3897767060
                                  • Opcode ID: 1c0ae0d944632bcdcf759b1e3e1d8fff7f6a9014a39520fb1f9a56a2949d83ec
                                  • Instruction ID: 3be4d687c107101ef5873611dac81bc5857018a0f4c8d6b18ee22764ec55ea21
                                  • Opcode Fuzzy Hash: 1c0ae0d944632bcdcf759b1e3e1d8fff7f6a9014a39520fb1f9a56a2949d83ec
                                  • Instruction Fuzzy Hash: 4211A134A14608AB8B41EBA4DC45EDD73F9FF1C750B0004E6F948D7281EBB09BD88B15
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002292E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                    • Part of subcall function 0022B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0022B0E7
                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00229355
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ClassMessageNameSend_memmove
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 372448540-1403004172
                                  • Opcode ID: dba155b098c0cd36a0d94deb6a37be8d8dbf984e39a8cba215a4c80e8f5749e8
                                  • Instruction ID: 1d55a04697a0aa5d687c2de1b487cc945e982af10cbea4bb45e00599d5fcc1c5
                                  • Opcode Fuzzy Hash: dba155b098c0cd36a0d94deb6a37be8d8dbf984e39a8cba215a4c80e8f5749e8
                                  • Instruction Fuzzy Hash: 6901F171A21225BBCB05FBA0DC918FE7369BF16320B14065AF832573D2EB31596CCB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002291DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                    • Part of subcall function 0022B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0022B0E7
                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 0022924D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ClassMessageNameSend_memmove
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 372448540-1403004172
                                  • Opcode ID: 5ec1b12745761ff55f323692f29f3bcca0ae6bad87b69840eda4b0f3ee5289b1
                                  • Instruction ID: d2a58ec7031054b011683490dd62876b28f7388a391a7cf40b45a2f977682582
                                  • Opcode Fuzzy Hash: 5ec1b12745761ff55f323692f29f3bcca0ae6bad87b69840eda4b0f3ee5289b1
                                  • Instruction Fuzzy Hash: 4D01F771A51215BBCB19EBE0D992EFF73AC9F55300F14011AB912632C2EB155F2C8671
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00229264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001D7F41: _memmove.LIBCMT ref: 001D7F82
                                    • Part of subcall function 0022B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0022B0E7
                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 002292D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ClassMessageNameSend_memmove
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 372448540-1403004172
                                  • Opcode ID: ee40f84adb499deb8e19ec4f84f536af9dfb40bc261321ed7fc74c38b73930d3
                                  • Instruction ID: 039a5d2b71727a14d814418f9d46edafcc50cb977b394ac75490ca021d85d7e4
                                  • Opcode Fuzzy Hash: ee40f84adb499deb8e19ec4f84f536af9dfb40bc261321ed7fc74c38b73930d3
                                  • Instruction Fuzzy Hash: 6901A271A51229BBCB15EBE4D982EFF77AC9F11300F280116B812632C2DB255F6C9671
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001F6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: __calloc_crt
                                  • String ID: @R)
                                  • API String ID: 3494438863-1172632424
                                  • Opcode ID: f3cb70eb313378478d75003d0117134632d41a3a7afad70da32f9c81f5cb8f6c
                                  • Instruction ID: b37c6947f350ab2bb69f0daeb70fc92dfec37030f20b33e5c87f42b11c8c9133
                                  • Opcode Fuzzy Hash: f3cb70eb313378478d75003d0117134632d41a3a7afad70da32f9c81f5cb8f6c
                                  • Instruction Fuzzy Hash: 7DF09672709B1A9BF728DF58FD097B127D5E750760F100527E708CB5D5EB3088818780
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002351CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: ClassName_wcscmp
                                  • String ID: #32770
                                  • API String ID: 2292705959-463685578
                                  • Opcode ID: 73bee26f98f57bb271a2d99e4fc19094e0d808c78158a37b65e112dfda59f370
                                  • Instruction ID: f3a8da46301fd8f979494fb8d0367f98f81df51ab46fbf9519aff25bcef97b55
                                  • Opcode Fuzzy Hash: 73bee26f98f57bb271a2d99e4fc19094e0d808c78158a37b65e112dfda59f370
                                  • Instruction Fuzzy Hash: DDE02272A0022D2AE320AA99AC09AA7F7ACEB45721F00016BFD14D3040E6609A148BE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002281BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002281CA
                                    • Part of subcall function 001F3598: _doexit.LIBCMT ref: 001F35A2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: Message_doexit
                                  • String ID: AutoIt$Error allocating memory.
                                  • API String ID: 1993061046-4017498283
                                  • Opcode ID: 61c07254f924b42b308a6b1585541c45a51cd00ce3704301ba80c705ebda60c8
                                  • Instruction ID: 68716c97527422de165fe3516f34e72d9ba11258e4eb80637e8fa25e9f898a73
                                  • Opcode Fuzzy Hash: 61c07254f924b42b308a6b1585541c45a51cd00ce3704301ba80c705ebda60c8
                                  • Instruction Fuzzy Hash: 96D05B323D631C33D21432E47D0BFDA75484B26B52F144416BB08555D3CFE195E142DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0020B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0020B564: _memset.LIBCMT ref: 0020B571
                                    • Part of subcall function 001F0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0020B540,?,?,?,001D100A), ref: 001F0B89
                                  • IsDebuggerPresent.KERNEL32(?,?,?,001D100A), ref: 0020B544
                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001D100A), ref: 0020B553
                                  Strings
                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0020B54E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1240377268.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000000.00000002.1240297079.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.000000000025F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240427656.0000000000285000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240471664.000000000028F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1240524844.0000000000298000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1d0000_ekstre_pdf.jbxd
                                  Similarity
                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                  • API String ID: 3158253471-631824599
                                  • Opcode ID: dfb47ce20d5557ab5c20544f514ef14c98c7cfdc9f0a015d6ce5ea9ca1654ef9
                                  • Instruction ID: 1556ea3479b1fa00c2cf108eb0d6442ab0a56b76bc182e739f6bb2cf96ae86c3
                                  • Opcode Fuzzy Hash: dfb47ce20d5557ab5c20544f514ef14c98c7cfdc9f0a015d6ce5ea9ca1654ef9
                                  • Instruction Fuzzy Hash: EFE06DB0620711CFD772DF28E9083427BE0AB04745F0089ADE846C3792E7B4E418CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%